The vulnerability of the software responsible for creating, monitoring, and orchestrating data processing scripts in Airflow is related to deficiencies in the deserialization mechanism. This allows attackers to replace the XCom data, thereby bypassing the protection provided by the “enable_xcom_pickling=False” configuration setting.

🗓️ 30 Jan 2024 00:00:00Reported by FSTEC of Russia — Information Security Threat DatabaseType

bdu_fstec

bdu_fstec🔗 bdu.fstec.ru👁 1 Views

Airflow deserialization flaw lets attackers replace XCom data and bypass enable_xcom_pickling.

Reporter	Title	Published	Views	Family All 20
Circl	CVE-2023-50943	24 Jan 202414:26	–	circl
CNNVD	Apache Airflow 代码问题漏洞	24 Jan 202400:00	–	cnnvd
CNVD	Apache Airflow Code Execution Vulnerability (CNVD-2024-26531)	29 Jan 202400:00	–	cnvd
CVE	CVE-2023-50943	24 Jan 202412:57	–	cve
Cvelist	CVE-2023-50943 Apache Airflow: Potential pickle deserialization vulnerability in XComs	24 Jan 202412:57	–	cvelist
Github Security Blog	Apache Airflow: pickle deserialization vulnerability in XComs	24 Jan 202415:30	–	github
Hacker One	Internet Bug Bounty: Pickle deserialization vulnerability in XComs	25 Jan 202414:29	–	hackerone
NVD	CVE-2023-50943	24 Jan 202413:15	–	nvd
OSV	BIT-AIRFLOW-2023-50943 Apache Airflow: Potential pickle deserialization vulnerability in XComs	6 Mar 202410:50	–	osv
OSV	GHSA-C3C6-F2WW-XFR2 Apache Airflow: pickle deserialization vulnerability in XComs	24 Jan 202415:30	–	osv

Vulners

Node

apache airflowRange<2.8.1

Source	Link
vuldb	www.vuldb.com/ru/
openwall	www.openwall.com/lists/oss-security/2024/01/24/4
github	www.github.com/apache/airflow/pull/36255
lists	www.lists.apache.org/thread/fx278v0twqzxkcts70tc04cp3f8p56pn
web	www.web.nvd.nist.gov/view/vuln/detail

30 Jan 2024 00:00Current

7.2High risk

Vulners AI Score7.2

CVSS 39.8

CVSS 210

EPSS0.0121

Airflow vulnerability Deserialization flaw Data exchange bypass Pickling protection bypass