VDB

SNYK-PYTHON-APACHEAIRFLOW-570291

SNYK-PYTHON-APACHEAIRFLOW-570291 PUBLISHED CVSS 8 HIGH

## Overview [apache-airflow](https://pypi.org/project/apache-airflow/) is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Command Injection. The `celery` executor gets plain commands to execute from the message broker, without any sanitization. An attacker can inject arbitrary commands into the queue and therefore achieve command injection. **Note** An attacker requires access to the message broker used to send messages to Celery workers in order to exploit this vulnerability. ## Remediation Upgrade `apache-airflow` to version 1.10.11 or higher. ## References - [Breaking out of message brokers](https://snyk.io/blog/message-brokers/) - [GitHub PR](https://github.com/apache/airflow/pull/9178) - [Security Advisory](https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E) - [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/main/network/cves/2020/CVE-2020-11981.yaml)

Risk Scores

CVSS 3.1
8
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C

Affected Products

VendorProductVersions
0

Timeline

  • May 24, 2020 CVE Updated
  • Jul 14, 2020 CVE Published
Open in Interactive Console →
$ Console Community · 100/wk Open console ›