oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2023-50943: Apache Airflow: Potential pickle deserialization vulnerability in XComs

From: Ephraim Anierobi <ephraimanierobi () apache org>
Date: Wed, 24 Jan 2024 11:06:36 +0000
Severity: low

Affected versions:

- Apache Airflow before 2.8.1

Description:

Apache Airflow, versions before 2.8.1, have a vulnerability that allows a potential attacker to poison the XCom data by 
bypassing the protection of "enable_xcom_pickling=False" configuration setting resulting in poisoned data after XCom 
deserialization. This vulnerability is considered low since it requires a DAG author to exploit it. Users are 
recommended to upgrade to version 2.8.1 or later, which fixes this issue.

Credit:

Peng Zhou (zpbrent () gmail com) (finder)
Hussein Awala (remediation developer)

References:

https://github.com/apache/airflow/pull/36255
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-50943
Previous By Date Next
Previous By Thread Next

Current thread: