SNYK-PYTHON-APACHEAIRFLOW-570290
## Overview [apache-airflow](https://pypi.org/project/apache-airflow/) is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Insecure Default. The celery broker `accept_content` setting was set to: `['json', 'pickle']` by default, allowing deserialization of pickled messages, even if the software is configured to send messages in the JSON format. **Note** An attacker requires access to the message broker used to send messages to Celery workers in order to exploit this vulnerability. ## Remediation Upgrade `apache-airflow` to version 1.10.11 or higher. ## References - [Breaking out of message brokers](https://snyk.io/blog/message-brokers/) - [GitHub PR](https://github.com/apache/airflow/pull/7205) - [Security Advisory](https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E)
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| 0 |
Timeline
- May 24, 2020 CVE Updated
- Jul 14, 2020 CVE Published
References
- https://security.snyk.io/vuln/SNYK-PYTHON-APACHEAIRFLOW-570290 advisory
- https://learn.snyk.io/lesson/insecure-defaults/ technical
- https://pypi.org/project/apache-airflow/ vendor
- https://snyk.io/blog/message-brokers/ technical
- https://github.com/apache/airflow/pull/7205 patch
- https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E technical