VDB

SNYK-PYTHON-APACHEAIRFLOW-570290

SNYK-PYTHON-APACHEAIRFLOW-570290 PUBLISHED CVSS 8 HIGH

## Overview [apache-airflow](https://pypi.org/project/apache-airflow/) is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Insecure Default. The celery broker `accept_content` setting was set to: `['json', 'pickle']` by default, allowing deserialization of pickled messages, even if the software is configured to send messages in the JSON format. **Note** An attacker requires access to the message broker used to send messages to Celery workers in order to exploit this vulnerability. ## Remediation Upgrade `apache-airflow` to version 1.10.11 or higher. ## References - [Breaking out of message brokers](https://snyk.io/blog/message-brokers/) - [GitHub PR](https://github.com/apache/airflow/pull/7205) - [Security Advisory](https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E)

Risk Scores

CVSS 3.1
8
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C

Affected Products

VendorProductVersions
0

Timeline

  • May 24, 2020 CVE Updated
  • Jul 14, 2020 CVE Published
Open in Interactive Console →
$ Console Community · 100/wk Open console ›