CVE-2023-50943 Apache Airflow: Potential pickle deserialization vulnerability in XComs

🗓️ 24 Jan 2024 12:57:07Reported by apacheType

Apache Airflow XComs pickle deserialization vulnerabilit

Reporter	Title	Published	Views	Family All 20
BDU FSTEC	The vulnerability of the software responsible for creating, monitoring, and orchestrating data processing scripts in Airflow is related to deficiencies in the deserialization mechanism. This allows attackers to replace the XCom data, thereby bypassing the protection provided by the “enable_xcom_pickling=False” configuration setting.	30 Jan 202400:00	–	bdu_fstec
Circl	CVE-2023-50943	24 Jan 202414:26	–	circl
CNNVD	Apache Airflow 代码问题漏洞	24 Jan 202400:00	–	cnnvd
CNVD	Apache Airflow Code Execution Vulnerability (CNVD-2024-26531)	29 Jan 202400:00	–	cnvd
CVE	CVE-2023-50943	24 Jan 202412:57	–	cve
Github Security Blog	Apache Airflow: pickle deserialization vulnerability in XComs	24 Jan 202415:30	–	github
Hacker One	Internet Bug Bounty: Pickle deserialization vulnerability in XComs	25 Jan 202414:29	–	hackerone
NVD	CVE-2023-50943	24 Jan 202413:15	–	nvd
OSV	BIT-AIRFLOW-2023-50943 Apache Airflow: Potential pickle deserialization vulnerability in XComs	6 Mar 202410:50	–	osv
OSV	GHSA-C3C6-F2WW-XFR2 Apache Airflow: pickle deserialization vulnerability in XComs	24 Jan 202415:30	–	osv

[
  {
    "collectionURL": "https://pypi.python.org",
    "defaultStatus": "unaffected",
    "packageName": "apache-airflow",
    "product": "Apache Airflow",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThan": "2.8.1",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      }
    ]
  }
]

Source	Link
github	www.github.com/apache/airflow/pull/36255
lists	www.lists.apache.org/thread/fx278v0twqzxkcts70tc04cp3f8p56pn
openwall	www.openwall.com/lists/oss-security/2024/01/24/4

24 Jan 2024 13:00Current

7.6High risk

Vulners AI Score7.6

EPSS0.0121

CWE-502