CVE-2020-11981

CRITICAL NUCLEI LAB

Apache Airflow < 1.10.10 - OS Command Injection

Title source: rule

Description

An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker can connect to the broker (Redis, RabbitMQ) directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands.

Exploits (1)

nomisec WORKING POC

by Evillm · poc

https://github.com/Evillm/CVE-2020-11981-PoC

View Code ZIP pw:eip

Nuclei Templates (1)

Apache Airflow <=1.10.10 - Command Injection

CRITICALVERIFIEDby pussycat0x

Shodan: product:"redis" || http.title:"airflow - dags" || http.html:"apache airflow" || http.title:"sign in - airflow"

FOFA: apache airflow || title="airflow - dags" || http.html:"apache airflow" || title="sign in - airflow"

References (1)

[Mailing List, Vendor Advisory] https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E

Scores

CVSS v3 9.8

EPSS 0.9159

EPSS Percentile 99.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Lab Environment

COMMUNITY

Community Lab

docker pull apache/airflow:1.10.10

docker pull airflow-custom:latest

https://github.com/Evillm/CVE-2020-11981-PoC

View in Library

Details

CWE

CWE-78

Status published

Products (2)

apache/airflow < 1.10.10

pypi/apache-airflow 0 - 1.10.11rc1PyPI

Published Jul 17, 2020

Tracked Since Feb 18, 2026