CVE-2020-11982
CRITICALApache Airflow < 1.10.10 - Remote Code Execution via CeleryExecutor Deserialization
Title source: llmDescription
An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attack can connect to the broker (Redis, RabbitMQ) directly, it was possible to insert a malicious payload directly to the broker which could lead to a deserialization attack (and thus remote code execution) on the Worker.
References (1)
Core 1
Core References
Mailing List, Vendor Advisory x_refsource_misc
https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E
Scores
CVSS v3
9.8
EPSS
0.0566
EPSS Percentile
90.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-502
Status
published
Products (2)
apache/airflow
< 1.10.10
pypi/apache-airflow
0 - 1.10.11PyPI
Published
Jul 17, 2020
Tracked Since
Feb 18, 2026