Remote Code Execution (RCE)

Affecting apache-airflow package, versions [0,1.10.11)

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Remote Code Execution (RCE). The vulnerability was discovered in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler (depending on the executor in use). The vulnerability has no impact if examples are disabled by setting load_examples=False in the config.

Remediation

Upgrade apache-airflow to version 1.10.11 or higher.

References

CVSS Score

8.8
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    Low
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/RL:O
Credit
xuxiang of DtDream security
CVE
CVE-2020-11978
CWE
CWE-94
Snyk ID
SNYK-PYTHON-APACHEAIRFLOW-585817
Disclosed
17 Jul, 2020
Published
17 Jul, 2020