Identifier

CVE-2020-11978

Package Slug

pypi/apache-airflow

Vulnerability

OS Command Injection

Description

A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler (depending on the executor in use). If you already have examples disabled by setting load_examples=False in the config then you are not vulnerable.

Affected Versions

All versions up to 1.10.10

Solution

Upgrade to version 1.10.11 or above.

Last Modified

2020-07-24

source