First published: Thu Jul 16 2020(Updated: )
An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker can connect to the broker (Redis, RabbitMQ) directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands.
Credit: security@apache.org security@apache.org
Affected Software | Affected Version | How to fix |
---|---|---|
Apache Airflow | <=1.10.10 | |
pip/apache-airflow | >=0<1.10.11rc1 | 1.10.11rc1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-11981 is a vulnerability found in Apache Airflow versions 1.10.10 and below that allows an attacker to run arbitrary commands by injecting commands through the CeleryExecutor when the broker (Redis, RabbitMQ) is directly accessible.
CVE-2020-11981 has a severity score of 9.8, which is classified as critical.
You can check if your Apache Airflow version is affected by CVE-2020-11981 by verifying if it is version 1.10.10 or below.
The fix for CVE-2020-11981 is to upgrade to Apache Airflow version 1.10.11 or later.
You can find more information about CVE-2020-11981 on the NIST National Vulnerability Database (NVD), the Apache Airflow mailing list, and the official Apache Airflow GitHub repository.