SB2024012523 - Multiple vulnerabilities in Apache Airflow
Published: January 25, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-50944)
The vulnerability allows a remote user to gain access to sensitive information.
The vulnerability exists due to application does not properly impose security restrictions. A remote user can access the source code of a DAG to which they don't have access.
2) Security features bypass (CVE-ID: CVE-2023-50943)
The vulnerability allows a remote user to bypass implemented security restrictions.
The vulnerability exists due to an error when processing untrusted input with "enable_xcom_pickling=False" configuration setting. A remote user with DAG author permissions can bypass the configuration setting and poison the XCom data.
Remediation
Install update from vendor's website.
References
- https://github.com/apache/airflow/pull/36257
- https://lists.apache.org/thread/92krb5mpcq8qrw4t4j5oooqw7hgd8q7h
- http://www.openwall.com/lists/oss-security/2024/01/24/5
- https://github.com/apache/airflow/pull/36255
- https://lists.apache.org/thread/fx278v0twqzxkcts70tc04cp3f8p56pn
- http://www.openwall.com/lists/oss-security/2024/01/24/4