CVE-2020-11982 — Deserialization of Untrusted Data in Apache Airflow

CWE-502 — Deserialization of Untrusted Data5 documents4 sources

Severity

9.8CRITICALNVD

EPSS

5.7%

top 9.61%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Airflow Apache Software Foundation Apache Airflow

Timeline

PublishedJul 17

Latest updateJul 27

Description

An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attack can connect to the broker (Redis, RabbitMQ) directly, it was possible to insert a malicious payload directly to the broker which could lead to a deserialization attack (and thus remote code execution) on the Worker.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5apache_software_foundation/apache_airflow1.10.10 and below

▶NVDapache/airflow1.10.10

🔴Vulnerability Details

OSV

Insecure default config of Celery worker in Apache Airflow↗2020-07-27

▶

GHSA

Insecure default config of Celery worker in Apache Airflow↗2020-07-27

▶

OSV

CVE-2020-11982: An issue was found in Apache Airflow versions 1↗2020-07-17

▶

CVEList

CVE-2020-11982: An issue was found in Apache Airflow versions 1↗2020-07-16

▶