CVE-2023-50943

2024-01-2413:15:07

CWE-502

[email protected]

web.nvd.nist.gov

cve-2023-50943

apache airflow

vulnerability

xcom data

poisoning

configuration

dag

nvd

security update

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

0.005 Low

EPSS

Percentile

76.8%

JSON

Apache Airflow, versions before 2.8.1, have a vulnerability that allows a potential attacker to poison the XCom data by bypassing the protection of “enable_xcom_pickling=False” configuration setting resulting in poisoned data after XCom deserialization. This vulnerability is considered low since it requires a DAG author to exploit it. Users are recommended to upgrade to version 2.8.1 or later, which fixes this issue.

Affected configurations

Vulners

NVD

Node

apacheairflowRange≤2.8.1

CPENameOperatorVersion
apache:airflowapache airflowlt2.8.1

CPE	Name	Operator	Version
apache:airflow	apache airflow	lt	2.8.1

CNA Affected

[
  {
    "collectionURL": "https://pypi.python.org",
    "defaultStatus": "unaffected",
    "packageName": "apache-airflow",
    "product": "Apache Airflow",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThan": "2.8.1",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      }
    ]
  }
]