Описание
An issue was found in Apache Airflow versions 1.10.10 and below. A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler (depending on the executor in use). If you already have examples disabled by setting load_examples=False in the config then you are not vulnerable.
Ссылки
- ExploitThird Party AdvisoryVDB Entry
- ExploitThird Party AdvisoryVDB Entry
- Mailing ListVendor Advisory
- ExploitThird Party AdvisoryVDB Entry
- ExploitThird Party AdvisoryVDB Entry
- Mailing ListVendor Advisory
- Third Party AdvisoryUS Government Resource
Уязвимые конфигурации
EPSS
8.8 High
CVSS3
6.5 Medium
CVSS2
Дефекты
Связанные уязвимости
An issue was found in Apache Airflow versions 1.10.10 and below. A rem ...
Уязвимость программного обеспечения создания, мониторинга и оркестрации сценариев обработки данных Airflow, связанная с непринятием мер по нейтрализации специальных элементов используемых в команде ОС, позволяющая нарушителю выполнить произвольные команды с привилегиями суперпользователя
EPSS
8.8 High
CVSS3
6.5 Medium
CVSS2