Apache Airflow: Potential pickle deserialization vulnerability in XComs
CVE-2023-50943

7.5HIGH

Key Information:

Vendor
Apache
Status
Apache Airflow
Vendor
CVE Published:
24 January 2024

Summary

A vulnerability exists in Apache Airflow that allows malicious actors to exploit XCom data. If an attacker successfully bypasses the configuration setting 'enable_xcom_pickling=False', they can insert harmful data into the XCom, leading to data poisoning upon deserialization. To mitigate this risk, it is essential for users to upgrade to Apache Airflow version 2.8.1 or later, which effectively addresses this issue.

Affected Version(s)

Apache Airflow 0 < 2.8.1

References

https://github.com/apache/airflow/pull/36255
patch
https://lists.apache.org/thread/fx278v0twqzxkcts70tc04cp3...
vendor-advisory
http://www.openwall.com/lists/oss-security/2024/01/24/4

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Peng Zhou ([email protected])
Hussein Awala
.