Command Injection Affecting apache-airflow package, versions [0,1.10.11)
Snyk CVSS
Attack Complexity
High
Privileges Required
High
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
93.32% (100th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-APACHEAIRFLOW-570291
- published 14 Jul 2020
- disclosed 24 May 2020
- credit Snyk Security Team
Introduced: 24 May 2020
CVE-2020-11981 Open this link in a new tabHow to fix?
Upgrade apache-airflow
to version 1.10.11 or higher.
Overview
apache-airflow is a platform to programmatically author, schedule, and monitor workflows.
Affected versions of this package are vulnerable to Command Injection. The celery
executor gets plain commands to execute from the message broker, without any sanitization. An attacker can inject arbitrary commands into the queue and therefore achieve command injection.
Note An attacker requires access to the message broker used to send messages to Celery workers in order to exploit this vulnerability.