CVE-2023-50943

Apache Airflow, versions before 2.8.1, have a vulnerability that allows a potential attacker to poison the XCom data by bypassing the protection of "enable_xcom_pickling=False" configuration setting resulting in poisoned data after XCom deserialization. This vulnerability is considered low since it requires a DAG author to exploit it. Users are recommended to upgrade to version 2.8.1 or later, which fixes this issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
apacheCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 38%
VendorProductVersion
apacheairflow
𝑥
< 2.8.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://www.openwall.com/lists/oss-security/2024/01/24/4
https://github.com/apache/airflow/pull/36255
https://lists.apache.org/thread/fx278v0twqzxkcts70tc04cp3f8p56pn
http://www.openwall.com/lists/oss-security/2024/01/24/4
https://github.com/apache/airflow/pull/36255
https://lists.apache.org/thread/fx278v0twqzxkcts70tc04cp3f8p56pn