CVE-2020-11982

Deserialization of Untrusted Data in pypi/apache-airflow

Identifiers

CVE-2020-11982

Package Slug

pypi/apache-airflow

Vulnerability

Deserialization of Untrusted Data

Description

An issue was found in Apache Airflow. When using CeleryExecutor, if an attack can connect to the broker (Redis, RabbitMQ) directly, it was possible to insert a malicious payload directly to the broker which could lead to a deserialization attack (and thus remote code execution) on the Worker.

Affected Versions

All versions up to 1.10.10

Solution

Upgrade to version 1.10.11 or above.

Last Modified

2020-07-27

source