CVE-2020-11981
UNKNOWN
Published 2020-07-16T23:21:18
Actions:
No CVSS data available
Description
An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker can connect to the broker (Redis, RabbitMQ) directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands.
Available Exploits
Apache Airflow <=1.10.10 - Command Injection
An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker can connect to the broker (Redis, RabbitMQ) directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands.
ID: CVE-2020-11981
Author: pussycat0x
Critical
References:
- https://github.com/apache/airflow/pull/9178
- https://github.com/vulhub/vulhub/tree/master/airflow/CVE-2020-11981
- https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E
- https://github.com/t0m4too/t0m4to
- https://github.com/ARPSyndicate/cvemon
Related News
No news articles found for this CVE.
Affected Products
Affected Versions:
Published: 2020-07-16T23:21:18
Last Modified: 2024-08-04T11:48:57.081Z
Copied to clipboard!