Miggo Logo

CVE-2020-11981: Command injection via Celery broker in Apache Airflow

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.99549%
Published
7/27/2020
Updated
9/11/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
apache-airflowpip>= 0, < 1.10.11rc11.10.11rc1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from executors directly executing commands from the broker without validation. The critical commit 1dda6fd adds command structure validation ([airflow, tasks, run] check) to all executor implementations, indicating these functions previously lacked input sanitization. The Celery worker's execute_command() function was particularly vulnerable as it handled task execution directly from broker messages. All affected executors shared the same pattern of trusting broker-originated commands.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *oun* in *p**** *ir*low v*rsions *.**.** *n* **low. W**n usin* **l*ry*x**utor, i* *n *tt**k*r **n *onn**t to t** *rok*r (R**is, R***itMQ) *ir**tly, it is possi*l* to inj**t *omm*n*s, r*sultin* in t** **l*ry work*r runnin* *r*itr*ry *omm*

Reasoning

T** vuln*r**ility st*mm** *rom *x**utors *ir**tly *x**utin* *omm*n*s *rom t** *rok*r wit*out `v*li**tion`. T** *riti**l *ommit ******* ***s *omm*n* stru*tur* `v*li**tion` ([*ir*low, t*sks, `run`] ****k) to *ll *x**utor impl*m*nt*tions, in*i**tin* t**