CVE-2020-11981

OS Command Injection in pypi/apache-airflow

Identifiers

CVE-2020-11981

Package Slug

pypi/apache-airflow

Vulnerability

OS Command Injection

Description

An issue was found in Apache Airflow. When using CeleryExecutor, if an attacker can connect to the broker (Redis, RabbitMQ) directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands.

Affected Versions

All versions up to 1.10.10

Solution

Upgrade to version 1.10.11 or above.

Last Modified

2020-07-27

source