Apache Airflow versions 1.10.10 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) Vulnerability
An issue was found in Apache Airflow versions 1.10.10 and below.
The information has been provided by Ash Berlin-Taylor
The original article can be found at:https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E
When using CeleryExecutor, if an attacker can connect to the broker (Redis, RabbitMQ) directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands.
Apache Airflow versions 1.10.10