CVE-2023-48291
vulnerability vulnerability in apache-airflow (PyPI)
What is CVE-2023-48291 About?
This vulnerability in Apache Airflow allows DAG authors to inject and execute local settings within the DAG folder, bypassing the scheduler's intended restrictions. This can lead to unauthorized code execution on the scheduler. Exploitation is relatively easy for DAG authors.
Affected Software
Technical Details
Apache Airflow versions before 2.10.1 are affected by a vulnerability where DAG authors can introduce local settings into the DAG folder. The scheduler, which is designed to prevent execution of arbitrary code submitted by DAG authors, fails to adequately sanitize or restrict these settings. Consequently, when the scheduler processes the DAG folder, it executes the malicious local settings as if they were legitimate components of the airflow environment. This bypasses the intended security boundary that separates DAG author-submitted code from critical scheduler operations, leading to unauthorized code execution.
What is the Impact of CVE-2023-48291?
Successful exploitation may allow attackers to execute arbitrary code with the privileges of the scheduler, compromise the integrity and availability of the Airflow environment, and potentially access sensitive data processed by the scheduler.
What is the Exploitability of CVE-2023-48291?
Exploitation requires an authenticated user with DAG author privileges. The attack is primarily executed by submitting malicious configuration or script within the DAG files themselves. This typically involves remote access to the Airflow instance for DAG submission. The complexity is low for a malicious DAG author, as it leverages an inherent design flaw in how the scheduler processes DAG-related content. No specific authentication beyond being a DAG author is needed, and no elevated privileges are required beyond the ability to create or modify DAGs. The primary risk factor is the trustworthiness of DAG authors and the potential for compromised DAG author accounts.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-48291?
Available Upgrade Options
- apache-airflow
- <2.8.0 → Upgrade to 2.8.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- http://www.openwall.com/lists/oss-security/2023/12/21/1
- https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-265.yaml
- https://lists.apache.org/thread/3nl0h014274yjlt1hd02z0q78ftyz0z3
- https://github.com/apache/airflow
- https://osv.dev/vulnerability/GHSA-8f57-wcmg-4jmh
- https://nvd.nist.gov/vuln/detail/CVE-2023-48291
- https://github.com/apache/airflow/commit/4f1b500c47813c54349b7d3e48df0a444fb4826c
- https://github.com/apache/airflow/pull/34366
- https://github.com/apache/airflow/pull/34366
- http://www.openwall.com/lists/oss-security/2023/12/21/1
What are Similar Vulnerabilities to CVE-2023-48291?
Similar Vulnerabilities: CVE-2020-13946 , CVE-2021-39070 , CVE-2021-42065 , CVE-2023-48291 , CVE-2022-24623
