Apache Airflow versions 1.10.10 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) Vulnerability

Summary

An issue was found in Apache Airflow versions 1.10.10 and below.

Credit:

The information has been provided by Ash Berlin-Taylor

The original article can be found at:https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E


Details

When using CeleryExecutor, if an attacker can connect to the broker (Redis, RabbitMQ) directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands.

 

Vulnerable Systems:

Apache Airflow versions 1.10.10

 

CVE Information:

CVE-2020-11981

 

Disclosure Timeline:
Published Date:7/16/2020

Categories: FeaturedNews