Adam Goldschmit

**Name of the Vulnerable Software and Affected Versions** Apache Airflow versions 1.10.10 and below **Description** The issue is related to the deserialization of untrusted data in Apache Airflow, which can lead to remote code execution. An attacker, acting remotely, can exploit this issue by inserting a malicious payload directly into the broker, such as Redis or RabbitMQ, when using CeleryExecutor. This can result in the execution of arbitrary code or a denial of service. **Recommendations** For Apache Airflow versions 1.10.10 and below, consider updating to a version that includes a fix for this issue, although the specific fixed version is not provided in the available data. As a temporary workaround, restrict access to the broker to minimize the risk of exploitation. Avoid using CeleryExecutor until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Apache Airflow versions 1.10.10 and below **Description** The issue allows an attacker to inject commands if they can connect directly to the broker, such as Redis or RabbitMQ, when using CeleryExecutor. This can result in the celery worker running arbitrary commands. The vulnerability is related to the lack of protection measures for the web page structure, which can be exploited by a remote attacker to execute arbitrary commands. **Recommendations** For Apache Airflow versions 1.10.10 and below, consider disabling the CeleryExecutor until a patch is available to prevent command injection. Restrict access to the broker, such as Redis or RabbitMQ, to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.