CVE-2020-11982
Description
An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attack can connect to the broker (Redis, RabbitMQ) directly, it was possible to insert a malicious payload directly to the broker which could lead to a deserialization attack (and thus remote code execution) on the Worker.
Risk Information
Base Score
9.8
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
Exploitation Probability
5.664
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Vulnerabilities CVE-2020-11982,CVE-2020-11983,CVE-2020-13927,CVE-2020-9485 are fixed in Python-apache-airflow 1.10.11 | Windows |
| Vulnerabilities CVE-2020-11982,CVE-2020-11983,CVE-2020-13927,CVE-2020-9485 are fixed in Python-apache-airflow for linux 1.10.11 | Linux |
| Deserialization of Untrusted Data Vulnerability (CVE-2020-11982) | NCM |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234