nvd-json-data-feeds/CVE-2023/CVE-2023-509xx/CVE-2023-50943.json

{
  "id": "CVE-2023-50943",
  "sourceIdentifier": "security@apache.org",
  "published": "2024-01-24T13:15:07.953",
  "lastModified": "2024-01-24T15:15:08.537",
  "vulnStatus": "Awaiting Analysis",
  "descriptions": [
    {
      "lang": "en",
      "value": "Apache Airflow, versions before 2.8.1, have a vulnerability that allows a potential attacker to poison the XCom data by bypassing the protection of \"enable_xcom_pickling=False\" configuration setting resulting in poisoned data after XCom deserialization. This vulnerability is considered low since it requires a DAG author to exploit it. Users are recommended to upgrade to version 2.8.1 or later, which fixes this issue.\n"
    },
    {
      "lang": "es",
      "value": "Apache Airflow, versiones anteriores a 2.8.1, tienen una vulnerabilidad que permite a un atacante potencial envenenar los datos de XCom al evadir la protecci\u00f3n de la configuraci\u00f3n \"enable_xcom_pickling=False\", lo que genera datos envenenados despu\u00e9s de la deserializaci\u00f3n de XCom. Esta vulnerabilidad se considera baja ya que requiere un autor de DAG para explotarla. Se recomienda a los usuarios actualizar a la versi\u00f3n 2.8.1 o posterior, que soluciona este problema."
    }
  ],
  "metrics": {},
  "weaknesses": [
    {
      "source": "security@apache.org",
      "type": "Secondary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-502"
        }
      ]
    }
  ],
  "references": [
    {
      "url": "http://www.openwall.com/lists/oss-security/2024/01/24/4",
      "source": "security@apache.org"
    },
    {
      "url": "https://github.com/apache/airflow/pull/36255",
      "source": "security@apache.org"
    },
    {
      "url": "https://lists.apache.org/thread/fx278v0twqzxkcts70tc04cp3f8p56pn",
      "source": "security@apache.org"
    }
  ]
}