CVE-2023-50943 - OpenCVE

Apache Airflow, versions before 2.8.1, have a vulnerability that allows a potential attacker to poison the XCom data by bypassing the protection of "enable_xcom_pickling=False" configuration setting resulting in poisoned data after XCom deserialization. This vulnerability is considered low since it requires a DAG author to exploit it. Users are recommended to upgrade to version 2.8.1 or later, which fixes this issue.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Airflow

Configuration 1 [-]

cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2024/01/24/4
https://github.com/apache/airflow/pull/36255
https://lists.apache.org/thread/fx278v0twqzxkcts70tc04cp3f8p56pn

History

No history.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2024-01-24T12:57:07.287Z

Updated: 2024-08-02T22:23:43.928Z

Reserved: 2023-12-16T16:02:36.817Z

Link: CVE-2023-50943

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2024-01-24T13:15:07.953

Modified: 2024-01-30T22:57:59.310

Link: CVE-2023-50943

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-50943", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2023-12-16T16:02:36.817Z", "datePublished": "2024-01-24T12:57:07.287Z", "dateUpdated": "2024-08-02T22:23:43.928Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://pypi.python.org", "defaultStatus": "unaffected", "packageName": "apache-airflow", "product": "Apache Airflow", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "2.8.1", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Peng Zhou (zpbrent@gmail.com)"}, {"lang": "en", "type": "remediation developer", "value": "Hussein Awala"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Apache Airflow, versions before 2.8.1, have a vulnerability that allows a potential attacker to poison the XCom data by bypassing the protection of \"enable_xcom_pickling=False\" configuration setting resulting in poisoned data after XCom deserialization. This vulnerability is considered low since it requires a DAG author to exploit it. Users are recommended to upgrade to version 2.8.1 or later, which fixes this issue.<br>"}], "value": "Apache Airflow, versions before 2.8.1, have a vulnerability that allows a potential attacker to poison the XCom data by bypassing the protection of \"enable_xcom_pickling=False\" configuration setting resulting in poisoned data after XCom deserialization. This vulnerability is considered low since it requires a DAG author to exploit it. Users are recommended to upgrade to version 2.8.1 or later, which fixes this issue.\n"}], "metrics": [{"other": {"content": {"text": "low"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-01-24T12:57:07.287Z"}, "references": [{"tags": ["patch"], "url": "https://github.com/apache/airflow/pull/36255"}, {"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/fx278v0twqzxkcts70tc04cp3f8p56pn"}, {"url": "http://www.openwall.com/lists/oss-security/2024/01/24/4"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Airflow: Potential pickle deserialization vulnerability in XComs", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T22:23:43.928Z"}, "title": "CVE Program Container", "references": [{"tags": ["patch", "x_transferred"], "url": "https://github.com/apache/airflow/pull/36255"}, {"tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.apache.org/thread/fx278v0twqzxkcts70tc04cp3f8p56pn"}, {"url": "http://www.openwall.com/lists/oss-security/2024/01/24/4", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*", "matchCriteriaId": "601FB744-D9A1-4FE0-A5AD-552A9605C501", "versionEndExcluding": "2.8.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Apache Airflow, versions before 2.8.1, have a vulnerability that allows a potential attacker to poison the XCom data by bypassing the protection of \"enable_xcom_pickling=False\" configuration setting resulting in poisoned data after XCom deserialization. This vulnerability is considered low since it requires a DAG author to exploit it. Users are recommended to upgrade to version 2.8.1 or later, which fixes this issue.\n"}, {"lang": "es", "value": "Apache Airflow, versiones anteriores a 2.8.1, tienen una vulnerabilidad que permite a un atacante potencial envenenar los datos de XCom al evadir la protecci\u00f3n de la configuraci\u00f3n \"enable_xcom_pickling=False\", lo que genera datos envenenados despu\u00e9s de la deserializaci\u00f3n de XCom. Esta vulnerabilidad se considera baja ya que requiere un autor de DAG para explotarla. Se recomienda a los usuarios actualizar a la versi\u00f3n 2.8.1 o posterior, que soluciona este problema."}], "id": "CVE-2023-50943", "lastModified": "2024-01-30T22:57:59.310", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-01-24T13:15:07.953", "references": [{"source": "security@apache.org", "tags": ["Mailing List"], "url": "http://www.openwall.com/lists/oss-security/2024/01/24/4"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://github.com/apache/airflow/pull/36255"}, {"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/fx278v0twqzxkcts70tc04cp3f8p56pn"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-502"}], "source": "security@apache.org", "type": "Secondary"}]}