Arbitrary Code Execution in airflow

Do your applications use this vulnerable package? Test your applications

Overview

airflow is a Programmatically author, schedule and monitor data pipelines.

Affected versions of this package are vulnerable to Arbitrary Code Execution. User input is sent unchecked to the the python eval function which directly executes the parameters. Any user who can create or edit charts may execute arbitrary code on the server.

References

Jira Issue
GitHub PR
GitHub Commit

Attack Vector

Network
Attack Complexity

Low
Privileges Required

None
User Interaction

None
Scope

Unchanged
Confidentiality

Low
Integrity

Low
Availability

Low

Credit: Unknown
CWE: CWE-94
Snyk ID: SNYK-PYTHON-AIRFLOW-40616
Disclosed: 03 Mar, 2017
Published: 03 Mar, 2017

Arbitrary Code Execution
Affecting airflow package, versions [0.1,]

Overview

References

CVSS Score

Arbitrary Code Execution Affecting airflow package, versions [0.1,]

Overview

References

Arbitrary Code Execution
Affecting airflow package, versions [0.1,]