Command Injection

Affecting apache-airflow package, versions [0,1.10.11)

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Command Injection. The celery executor gets plain commands to execute from the message broker, without any sanitization. An attacker can inject arbitrary commands into the queue and therefore achieve command injection.

Note An attacker requires access to the message broker used to send messages to Celery workers in order to exploit this vulnerability.

Remediation

Upgrade apache-airflow to version 1.10.11 or higher.

References

CVSS Score

8.0
high severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    High
  • User Interaction
    None
  • Scope
    Changed
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Credit
Snyk Security Team
CVE
CVE-2020-11981
CWE
CWE-78
Snyk ID
SNYK-PYTHON-APACHEAIRFLOW-570291
Disclosed
24 May, 2020
Published
14 Jul, 2020