8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-11978

GHSA ID

GHSA-rvmq-4x66-q7j3

EPSS Score

0.99926%

CWE

CWE-77

Published

7/27/2020

Updated

9/11/2024

KEV Status

Yes

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-11978

CVE-2020-11978:
Remote code execution (RCE) in Apache Airflow

An issue was found in Apache Airflow versions 1.10.10 and below. A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler (depending on the executor in use). If you already have examples disabled by setting load_examples=False in the config then you are not vulnerable.

(GitHub Advisory)

8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-11978

GHSA ID

GHSA-rvmq-4x66-q7j3

EPSS Score

0.99926%

CWE

CWE-77

Published

7/27/2020

Updated

9/11/2024

KEV Status

Yes

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
apache-airflow	pip	>= 0, < 1.10.11rc1	1.10.11rc1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from insecure usage of BashOperator in the example_trigger_target_dag.py. The original implementation constructed bash_command by directly embedding dag_run.conf['message'] (user-controlled input) into the command string via Jinja templating. This allowed attackers to escape the command context and execute arbitrary commands. The patch moved user input to the 'env' parameter and used environment variable substitution, demonstrating the vulnerable pattern was in the BashOperator's bash_command parameter handling within this specific example DAG.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *oun* in *p**** *ir*low v*rsions *.**.** *n* **low. * r*mot* *o**/*omm*n* inj**tion vuln*r**ility w*s *is*ov*r** in on* o* t** *x*mpl* ***s s*ipp** wit* *ir*low w*i** woul* *llow *ny *ut**nti**t** us*r to run *r*itr*ry *omm*n*s *s t** us

Reasoning

T** vuln*r**ility st*ms *rom ins**ur* us*** o* **s*Op*r*tor in t** *x*mpl*_tri***r_t*r**t_***.py. T** ori*in*l impl*m*nt*tion *onstru*t** **s*_*omm*n* *y *ir**tly *m****in* ***_run.*on*['m*ss***'] (us*r-*ontroll** input) into t** *omm*n* strin* vi* J

8.8

Basic Information

Concerned about an active attack path?

CVE-2020-11978: Remote code execution (RCE) in Apache Airflow

8.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2020-11978:
Remote code execution (RCE) in Apache Airflow

Vulnerability Intelligence
Miggo AI