9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-11981

GHSA ID

GHSA-976r-qfjj-c24w

EPSS Score

0.99549%

CWE

CWE-78

Published

7/27/2020

Updated

9/11/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-11981

CVE-2020-11981: Command injection via Celery broker in Apache Airflow

An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker can connect to the broker (Redis, RabbitMQ) directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands.

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-11981

GHSA ID

GHSA-976r-qfjj-c24w

EPSS Score

0.99549%

CWE

CWE-78

Published

7/27/2020

Updated

9/11/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
apache-airflow	pip	>= 0, < 1.10.11rc1	1.10.11rc1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from executors directly executing commands from the broker without validation. The critical commit 1dda6fd adds command structure validation ([airflow, tasks, run] check) to all executor implementations, indicating these functions previously lacked input sanitization. The Celery worker's execute_command() function was particularly vulnerable as it handled task execution directly from broker messages. All affected executors shared the same pattern of trusting broker-originated commands.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *oun* in *p**** *ir*low v*rsions *.**.** *n* **low. W**n usin* **l*ry*x**utor, i* *n *tt**k*r **n *onn**t to t** *rok*r (R**is, R***itMQ) *ir**tly, it is possi*l* to inj**t *omm*n*s, r*sultin* in t** **l*ry work*r runnin* *r*itr*ry *omm*

Reasoning

T** vuln*r**ility st*mm** *rom *x**utors *ir**tly *x**utin* *omm*n*s *rom t** *rok*r wit*out `v*li**tion`. T** *riti**l *ommit ******* ***s *omm*n* stru*tur* `v*li**tion` ([*ir*low, t*sks, `run`] ****k) to *ll *x**utor impl*m*nt*tions, in*i**tin* t**

9.8

Basic Information

Concerned about an active attack path?

CVE-2020-11981: Command injection via Celery broker in Apache Airflow

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI