apache-airflow is a platform to programmatically author, schedule, and monitor workflows.
Affected versions of this package are vulnerable to Command Injection. The
celery executor gets plain commands to execute from the message broker, without any sanitization. An attacker can inject arbitrary commands into the queue and therefore achieve command injection.
Note An attacker requires access to the message broker used to send messages to Celery workers in order to exploit this vulnerability.
apache-airflow to version 1.10.11 or higher.