CVE-2020-11981
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2020-11981
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-11981.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2020-11981
- Aliases
- Published
- 2020-07-17T00:15:10Z
- Modified
- 2024-11-26T05:50:30.958885Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker can connect to the broker (Redis, RabbitMQ) directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands.
- References
Affected packages
Git / github.com/apache/airflow
Affected ranges
- Type
- GIT
- Repo
- https://github.com/apache/airflow
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affected
Affected versions
constraints-1.*
constraints-1.10.1
constraints-1.10.10
constraints-1.10.11
constraints-1.10.12
constraints-1.10.13
constraints-1.10.14
constraints-1.10.15
constraints-1.10.15rc1
constraints-1.10.2
constraints-1.10.3
constraints-1.10.4
constraints-1.10.5
constraints-1.10.6
constraints-1.10.7
constraints-1.10.8
constraints-1.10.9