Arbitrary Command Injection in Apache Airflow with CeleryExecutor

Arbitrary Command Injection in Apache Airflow with CeleryExecutor

CVE-2020-11981 · CRITICAL Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker can connect to the broker (Redis, RabbitMQ) directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands.

Learn more about our Cis Benchmark Audit For Apache Http Server.