CVE-2020-11982

CRITICAL

Apache Airflow < 1.10.10 - Insecure Deserialization

Title source: rule

Description

An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attack can connect to the broker (Redis, RabbitMQ) directly, it was possible to insert a malicious payload directly to the broker which could lead to a deserialization attack (and thus remote code execution) on the Worker.

References (1)

[Mailing List, Vendor Advisory] https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E

Scores

CVSS v3 9.8

EPSS 0.0566

EPSS Percentile 90.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status published

Affected Products (2)

apache/airflow < 1.10.10

pypi/apache-airflow < 1.10.11PyPI

Timeline

Published Jul 17, 2020

Tracked Since Feb 18, 2026