CVE-2023-50943

Name of the Vulnerable Software and Affected Versions Apache Airflow versions prior to 2.8.1

Description The issue is related to the deserialization mechanism in Apache Airflow, allowing a potential attacker to poison the XCom data by bypassing the protection of the enable xcom pickling=False configuration setting, resulting in poisoned data after XCom deserialization. This issue is considered low severity as it requires a DAG author to exploit it.

Recommendations To resolve the issue, users are recommended to upgrade to version 2.8.1 or later, which fixes this issue. As a temporary workaround, consider disabling the enable xcom pickling setting until a patch is available. Restrict access to the XCom data to minimize the risk of exploitation. Avoid using the enable xcom pickling=False configuration setting in the affected API endpoints until the issue is resolved.