CVE-2020-11982

Name of the Vulnerable Software and Affected Versions Apache Airflow versions 1.10.10 and below

Description The issue is related to the deserialization of untrusted data in Apache Airflow, which can lead to remote code execution. An attacker, acting remotely, can exploit this issue by inserting a malicious payload directly into the broker, such as Redis or RabbitMQ, when using CeleryExecutor. This can result in the execution of arbitrary code or a denial of service.

Recommendations For Apache Airflow versions 1.10.10 and below, consider updating to a version that includes a fix for this issue, although the specific fixed version is not provided in the available data. As a temporary workaround, restrict access to the broker to minimize the risk of exploitation. Avoid using CeleryExecutor until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.