x/vulndb: potential Go vuln in github.com/apache/airflow: CVE-2023-50943

[GoVulnBot]

CVE-2023-50943 references github.com/apache/airflow, which may be a Go module.

Description: Apache Airflow, versions before 2.8.1, have a vulnerability that allows a potential attacker to poison the XCom data by bypassing the protection of "enable_xcom_pickling=False" configuration setting resulting in poisoned data after XCom deserialization. This vulnerability is considered low since it requires a DAG author to exploit it. Users are recommended to upgrade to version 2.8.1 or later, which fixes this issue.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-50943
• JSON: https://github.com/CVEProject/cvelist/tree/d60c28c8bf4b1e2c8335019d5146a570ea639d14/2023/50xxx/CVE-2023-50943.json
• fix: https://github.com/apache/airflow/pull/36255
• web: https://lists.apache.org/thread/fx278v0twqzxkcts70tc04cp3f8p56pn
• Imported by: https://pkg.go.dev/github.com/apache/airflow?tab=importedby

Cross references: No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/apache/airflow
      vulnerable_at: 1.8.2
      packages:
        - package: Apache Airflow
cves:
    - CVE-2023-50943
references:
    - fix: https://github.com/apache/airflow/pull/36255
    - web: https://lists.apache.org/thread/fx278v0twqzxkcts70tc04cp3f8p56pn

[gopherbot]

Change https://go.dev/cl/557819 mentions this issue: data/excluded: batch add 10 excluded reports