CVE-2023-36543
denial of service vulnerability in apache-airflow (PyPI)
What is CVE-2023-36543 About?
This vulnerability in Apache Airflow versions prior to 2.6.3 allows an authenticated user to craft input that causes the current request to hang. This can lead to a denial of service condition by holding up server resources, and is moderately easy to exploit. The significant impact is resource exhaustion and reduced service availability.
Affected Software
Technical Details
The vulnerability in Apache Airflow, affecting versions before 2.6.3, stems from improper handling of crafted input provided by an authenticated user. Specifically, certain input patterns or data structures, when processed by the application, can lead to an infinite loop, a deadlock, or an extremely long processing time for the request. This causes the server process or thread handling that request to become unresponsive, effectively 'hanging'. If multiple such requests are made, or if the crafted input targets a critical shared resource, it can exhaust the available processing capacity (e.g., worker threads, memory) of the Airflow webserver, leading to a denial of service for other legitimate users.
What is the Impact of CVE-2023-36543?
Successful exploitation may allow attackers to disrupt the normal operation of the application, leading to service unavailability, resource exhaustion, and degraded performance.
What is the Exploitability of CVE-2023-36543?
Exploitation requires prior authentication to the Apache Airflow instance. The attacker needs to be an authenticated user to submit the crafted input that triggers the hanging request. It is a remote attack, and complexity is moderate, requiring knowledge of how to format the input to induce the hang. The primary prerequisite is a valid user account. The risk factors include the ability for any authenticated user, even with low privileges, to potentially impact the availability of the entire Airflow instance.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-36543?
Available Upgrade Options
- apache-airflow
- <2.6.3 → Upgrade to 2.6.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/apache/airflow/pull/32060
- https://nvd.nist.gov/vuln/detail/CVE-2023-36543
- https://github.com/apache/airflow/pull/32060
- https://lists.apache.org/thread/tokfs980504ylgk3cv3hjlnrtbv4tng4
- https://osv.dev/vulnerability/GHSA-3h4m-m55v-gx4m
- https://lists.apache.org/thread/tokfs980504ylgk3cv3hjlnrtbv4tng4
- https://github.com/apache/airflow
- https://osv.dev/vulnerability/PYSEC-2023-106
- https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-106.yaml
- https://github.com/apache/airflow/commit/116e607ddcb32480e57c342f48226545ac6fc315
What are Similar Vulnerabilities to CVE-2023-36543?
Similar Vulnerabilities: CVE-2023-27539 , CVE-2022-26125 , CVE-2018-8013 , CVE-2016-10757 , CVE-2014-0081
