An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attack can connect to the broker (Redis, RabbitMQ) directly, it was possible to insert a malicious payload directly to the broker which could lead to a deserialization attack (and thus remote code execution) on the Worker.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: apache
Published: 2020-07-16T23:21:25
Updated: 2024-08-04T11:48:57.514Z
Reserved: 2020-04-21T00:00:00
Link: CVE-2020-11982
Vulnrichment
No data.
NVD
Status : Analyzed
Published: 2020-07-17T00:15:10.477
Modified: 2020-07-24T18:22:15.697
Link: CVE-2020-11982
Redhat
No data.