SNYK-PYTHON-APACHEAIRFLOW-570291
## Overview [apache-airflow](https://pypi.org/project/apache-airflow/) is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Command Injection. The `celery` executor gets plain commands to execute from the message broker, without any sanitization. An attacker can inject arbitrary commands into the queue and therefore achieve command injection. **Note** An attacker requires access to the message broker used to send messages to Celery workers in order to exploit this vulnerability. ## Remediation Upgrade `apache-airflow` to version 1.10.11 or higher. ## References - [Breaking out of message brokers](https://snyk.io/blog/message-brokers/) - [GitHub PR](https://github.com/apache/airflow/pull/9178) - [Security Advisory](https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E) - [Nuclei Templates](https://github.com/projectdiscovery/nuclei-templates/blob/main/network/cves/2020/CVE-2020-11981.yaml)
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| 0 |
Timeline
- May 24, 2020 CVE Updated
- Jul 14, 2020 CVE Published
References
- https://security.snyk.io/vuln/SNYK-PYTHON-APACHEAIRFLOW-570291 advisory
- https://learn.snyk.io/lesson/malicious-code-injection/ technical
- https://pypi.org/project/apache-airflow/ vendor
- https://snyk.io/blog/message-brokers/ technical
- https://github.com/apache/airflow/pull/9178 patch
- https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E technical
- https://github.com/projectdiscovery/nuclei-templates/blob/main/network/cves/2020/CVE-2020-11981.yaml technical