CVE-2023-47037
Sandbox Escape vulnerability in apache-airflow (PyPI)
What is CVE-2023-47037 About?
The `safe-eval` package, in versions prior to 0.4.0, is vulnerable to a sandbox escape that allows an attacker to break out of the intended restricted environment. This enables the execution of arbitrary code by accessing object constructors. Exploitation is simple and documented with a proof-of-concept.
Affected Software
Technical Details
The safe-eval package, in versions affected, fails to properly isolate untrusted code within its sandboxed environment. The vulnerability stems from the ability of un-sanitized user input to access global object constructors within the JavaScript execution context. Specifically, by using this.constructor.constructor, an attacker can reach the Function constructor. This allows them to create and execute new functions outside the sandbox, which can then access the entire standard library and system functions. The proof-of-concept this.constructor.constructor('return process')().exit() demonstrates this by accessing the global process object and calling exit(), effectively breaking out of the sandbox and executing arbitrary system commands or operations.
What is the Impact of CVE-2023-47037?
Successful exploitation may allow attackers to execute arbitrary code outside the sandbox context, leading to complete compromise of the underlying system or application where the `safe-eval` package is used.
What is the Exploitability of CVE-2023-47037?
Exploitation of this vulnerability is simple, as demonstrated by the provided proof of concept. The primary prerequisite is the ability to provide un-sanitized user input to the safe-eval function. No authentication is required if the user input can be provided to an application using safe-eval without prior login. Privilege requirements are low, as the vulnerability exists within the library itself. This is often a remote vulnerability, especially if the safe-eval function is used to process untrusted input from web requests or other network sources. There are no complex special conditions; the core issue is the ability to access object constructors from within the evaluated string. The risk of exploitation is high given the simplicity of the attack and its potential for arbitrary code execution.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-47037?
Available Upgrade Options
- apache-airflow
- <2.7.3 → Upgrade to 2.7.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/apache/airflow/commit/2a0106e4edf67c5905ebfcb82a6008662ae0f7ad
- https://nvd.nist.gov/vuln/detail/CVE-2023-47037
- https://github.com/apache/airflow
- https://osv.dev/vulnerability/GHSA-hm9r-7f84-25c9
- https://lists.apache.org/thread/04y4vrw1t2xl030gswtctc4nt1w90cb0
- http://www.openwall.com/lists/oss-security/2023/11/12/1
- https://github.com/apache/airflow/pull/33413
- https://osv.dev/vulnerability/PYSEC-2023-232
- https://lists.apache.org/thread/04y4vrw1t2xl030gswtctc4nt1w90cb0
- http://www.openwall.com/lists/oss-security/2023/11/12/1
What are Similar Vulnerabilities to CVE-2023-47037?
Similar Vulnerabilities: CVE-2023-28155 , CVE-2022-21650 , CVE-2020-28500 , CVE-2019-10777 , CVE-2018-3729
