Insecure Default

Affecting apache-airflow package, versions [0,1.10.11)

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Insecure Default. The celery broker accept_content setting was set to: ['json', 'pickle'] by default, allowing deserialization of pickled messages, even if the software is configured to send messages in the JSON format.

Note An attacker requires access to the message broker used to send messages to Celery workers in order to exploit this vulnerability.

Remediation

Upgrade apache-airflow to version 1.10.11 or higher.

References

CVSS Score

8.0
high severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    High
  • User Interaction
    None
  • Scope
    Changed
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Credit
Snyk Security Team
CVE
CVE-2020-11982
CWE
CWE-453
Snyk ID
SNYK-PYTHON-APACHEAIRFLOW-570290
Disclosed
24 May, 2020
Published
14 Jul, 2020