Severity: low Affected versions:
- Apache Airflow CNCF Kubernetes Provider 5.0.0 through 6.1.0 Description: Arbitrary code execution in Apache Airflow CNCF Kubernetes provider version 5.0.0 allows user to change xcom sidecar image and resources via Airflow connection. In order to exploit this weakness, a user would already need elevated permissions (Op or Admin) to change the connection object in this manner. Operators should upgrade to provider version 7.0.0 which has removed the vulnerability. References: https://airflow.apache.org/ https://www.cve.org/CVERecord?id=CVE-2023-33234
