GHSA-rvmq-4x66-q7j3
Suggest an improvement- Source
- https://github.com/advisories/GHSA-rvmq-4x66-q7j3
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/07/GHSA-rvmq-4x66-q7j3/GHSA-rvmq-4x66-q7j3.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-rvmq-4x66-q7j3
- Aliases
- Published
- 2020-07-27T16:57:33Z
- Modified
- 2025-10-22T18:01:06.334817Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H CVSS Calculator
- 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A CVSS Calculator
- Summary
- Remote code execution (RCE) in Apache Airflow
- Details
-
An issue was found in Apache Airflow versions 1.10.10 and below. A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler (depending on the executor in use). If you already have examples disabled by setting
load_examples=Falsein the config then you are not vulnerable. - Database specific
{ "severity": "HIGH", "github_reviewed_at": "2020-07-27T16:54:51Z", "cwe_ids": [ "CWE-77", "CWE-78" ], "github_reviewed": true, "nvd_published_at": "2020-07-17T00:15:00Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2020-11978
- https://github.com/apache/airflow/pull/9143
- https://github.com/apache/airflow/commit/2fa51576e1283f5732e38fada686fd248d9c3a1e
- https://github.com/apache/airflow/commit/4d8599e8b0520ff4226fbad72f724afae50fdd08
- https://github.com/apache/airflow
- https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2020-14.yaml
- https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-11978
- http://packetstormsecurity.com/files/162908/Apache-Airflow-1.10.10-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/174764/Apache-Airflow-1.10.10-Remote-Code-Execution.html
Affected packages
PyPI / apache-airflow
Package
- Name
- apache-airflow
- View open source insights on deps.dev
- Purl
- pkg:pypi/apache-airflow
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.10.11rc1
Affected versions
1.*
1.8.1
1.8.2rc1
1.8.2
1.9.0
1.10.0
1.10.1b1
1.10.1rc2
1.10.1
1.10.2b2
1.10.2rc1
1.10.2rc2
1.10.2rc3
1.10.2
1.10.3b1
1.10.3b2
1.10.3rc1
1.10.3rc2
1.10.3
1.10.4b2
1.10.4rc1
1.10.4rc2
1.10.4rc3
1.10.4rc4
1.10.4rc5
1.10.4
1.10.5rc1
1.10.5
1.10.6rc1
1.10.6rc2
1.10.6
1.10.7rc1
1.10.7rc2
1.10.7rc3
1.10.7
1.10.8rc1
1.10.8
1.10.9rc1
1.10.9
1.10.10rc1
1.10.10rc2
1.10.10rc3
1.10.10rc4
1.10.10rc5
1.10.10