CVE-2020-11981: Command injection via Celery broker in Apache Airflow
9.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.99549%
CWE
Published
7/27/2020
Updated
9/11/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
apache-airflow | pip | >= 0, < 1.10.11rc1 | 1.10.11rc1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from executors directly executing commands from the broker without validation
. The critical commit 1dda6fd adds command structure validation
([airflow, tasks, run
] check) to all executor implementations, indicating these functions
previously lacked input sanitization. The Celery worker's execute_command()
function was particularly vulnerable as it handled task execution directly from broker messages. All affected executors shared the same pattern of trusting broker-originated commands.