Apache Airflow versions 1.10.10 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) Vulnerability


An issue was found in Apache Airflow versions 1.10.10 and below.


The information has been provided by Ash Berlin-Taylor

The original article can be found at:https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E


When using CeleryExecutor, if an attacker can connect to the broker (Redis, RabbitMQ) directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands.


Vulnerable Systems:

Apache Airflow versions 1.10.10


CVE Information:



Disclosure Timeline:
Published Date:7/16/2020

Categories: FeaturedNews