Cyber Resilience

CVE-2023-40195

HighRCE

Published: 28 August 2023

Published
28 August 2023
Modified
23 April 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0392 88.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-40195 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Apache Airflow Spark Provider. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 11.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Deserialization of Untrusted Data, Inclusion of Functionality from Untrusted Control Sphere vulnerability in Apache Software Foundation Apache Airflow Spark Provider. When the Apache Spark provider is installed on an Airflow deployment, an Airflow user that is authorized to configure Spark…

more

hooks can effectively run arbitrary code on the Airflow node by pointing it at a malicious Spark server. Prior to version 4.1.3, this was not called out in the documentation explicitly, so it is possible that administrators provided authorizations to configure Spark hooks without taking this into account. We recommend administrators to review their configurations to make sure the authorization to configure Spark hooks is only provided to fully trusted users. To view the warning in the docs please visit https://airflow.apache.org/docs/apache-airflow-providers-apache-spark/4.1.3/connections/spark.html

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
airflow spark provider
≤ 4.1.3

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-829 CWE-502

Isolated execution prevents functionality from an untrusted sphere from affecting the real environment, allowing safe behavioral inspection.

addresses: CWE-829 CWE-502

Detects and prevents inclusion of malicious functionality downloaded from untrusted control spheres.

addresses: CWE-502 CWE-829

Provenance of associated data allows detection of untrusted sources before deserialization or processing occurs.

addresses: CWE-502

Penetration testing supplies malicious serialized objects, detecting unsafe deserialization and supporting corrective actions.

addresses: CWE-829

Limiting P2P file sharing technology reduces inclusion of functionality or resources from untrusted external control spheres.

addresses: CWE-829

Enforcing installation policies prevents users from including functionality obtained from untrusted control spheres.

addresses: CWE-829

The inventory process requires identifying and recording the origin of all components, making inclusion of functionality from untrusted control spheres easier to detect during reviews.

addresses: CWE-829

Requiring approval and monitoring of maintenance tools prevents inclusion and execution of functionality obtained from untrusted sources.

References