CVE-2020-11978

Name of the Vulnerable Software and Affected Versions Apache Airflow versions 1.10.10 and below

Description The issue is related to a command injection vulnerability in Apache Airflow, which can be exploited by a remote attacker to execute arbitrary commands with superuser privileges. This vulnerability is associated with the lack of neutralization of special elements used in the operating system command. The vulnerability was discovered in one of the example DAGs shipped with Airflow and can be exploited by any authenticated user to run arbitrary commands as the user running the Airflow worker or scheduler.

Recommendations For Apache Airflow versions 1.10.10 and below, consider disabling the example DAGs by setting load examples=False in the config to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.