CVE-2023-49920
Security Bypass vulnerability in apache-airflow (PyPI)
What is CVE-2023-49920 About?
This vulnerability is a security bypass in Apache Santuario XML Security for Java versions 2.0.3 and all 2.1.x before 2.1.4. It allows untrusted code to register a malicious implementation, which can then be cached and reused, compromising security checks for signed XML documents. Exploitation relies on the ability to register malicious code via the thread context class loader.
Affected Software
- apache-airflow
- >2.7.0, <2.8.0
- >2.7.0, <2.8.0b1
Technical Details
Apache Santuario XML Security for Java introduced a caching mechanism in version 2.0.3 for DocumentBuilders to enhance performance when creating new XML documents. The vulnerability arises because this caching mechanism does not adequately protect against malicious implementations being registered with the thread context class loader. If an untrusted code segment can manipulate the thread context class loader to register its own malicious DocumentBuilder implementation, this compromised implementation can then be cached in the static pool. Subsequent operations by Apache Santuario, such as validating signed XML documents, might reuse this cached, malicious DocumentBuilder. This insidious reuse allows the attacker's code to interfere with the parsing and validation process, potentially leading to a security bypass where invalid or tampered signed documents are deemed valid, or legitimate documents are maliciously interpreted.
What is the Impact of CVE-2023-49920?
Successful exploitation may allow attackers to bypass security validation of signed XML documents, leading to unauthorized data manipulation, integrity compromise, denial of service, or other security flaws related to trusted document processing.
What is the Exploitability of CVE-2023-49920?
Exploitation of this vulnerability is complex. It requires the attacker to have the ability to execute untrusted code within the same Java Virtual Machine (JVM) process as Apache Santuario, specifically to manipulate the thread context class loader. No authentication is necessary if the attacker can already run code in the JVM, but it implicitly requires a level of access to inject code. Privilege requirements depend on the execution environment; the untrusted code needs sufficient privileges to modify class loading behavior. This is typically a local exploitation scenario, as it involves interaction within the JVM. A special condition is the presence of other vulnerabilities or weak configurations that allow the attacker to introduce and execute untrusted code within the application's runtime. The likelihood of exploitation increases if the application loads third-party components that could be controlled by an attacker or if the DocumentBuilder caching mechanism is used in sensitive security contexts.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-49920?
Available Upgrade Options
- apache-airflow
- >2.7.0, <2.8.0b1 → Upgrade to 2.8.0b1
- apache-airflow
- >2.7.0, <2.8.0 → Upgrade to 2.8.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- http://www.openwall.com/lists/oss-security/2023/12/21/3
- https://lists.apache.org/thread/mnwd2vcfw3gms6ft6kl951vfbqrxsnjq
- https://nvd.nist.gov/vuln/detail/CVE-2023-49920
- https://github.com/apache/airflow
- https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-266.yaml
- https://github.com/apache/airflow/commit/f5d802791fa5f6b13b635f06a1ea2eccc22a9ba7
- https://github.com/apache/airflow/pull/36026
- https://github.com/apache/airflow/pull/36026
- http://www.openwall.com/lists/oss-security/2023/12/21/3
- https://lists.apache.org/thread/mnwd2vcfw3gms6ft6kl951vfbqrxsnjq
What are Similar Vulnerabilities to CVE-2023-49920?
Similar Vulnerabilities: CVE-2022-40153 , CVE-2020-11977 , CVE-2017-15707 , CVE-2016-8743 , CVE-2015-1836
