The vulnerability of the software responsible for creating, monitoring, and orchestrating data processing scripts in Airflow lies in the failure to take measures to neutralize special elements used in the OS commands. This allows a malicious actor to execute arbitrary commands with superuser privileges.

Airflow script management vulnerability: unneutralized operating system commands enable remote arbitrary actions with superuser privileges.

Reporter	Title	Published	Views	Family All 33
0day.today	Apache Airflow 1.10.10 - (Example Dag) Remote Code Execution Exploit	2 Jun 202100:00	–	zdt
0day.today	Apache Airflow 1.10.10 Remote Code Execution Exploit	19 Sep 202300:00	–	zdt
Gitee	Exploit for OS Command Injection in Apache Airflow	6 Sep 202512:42	–	gitee
GithubExploit	Exploit for OS Command Injection in Apache Airflow	22 May 202115:58	–	githubexploit
ATTACKERKB	CVE-2020-11978	17 Jul 202000:00	–	attackerkb
Tenable Nessus	Apache Airflow < 1.10.11 Multiple Vulnerabilities	13 Jun 202200:00	–	nessus
Circl	CVE-2020-11978	3 Jun 202100:39	–	circl
CISA KEV Catalog	Apache Airflow Command Injection	18 Jan 202200:00	–	cisa_kev
CISA	CISA Adds 13 Known Exploited Vulnerabilities to Catalog	18 Jan 202200:00	–	cisa
CNVD	Apache Airflow Command Injection Vulnerability	19 Jul 202000:00	–	cnvd

Vulners

Node

apache airflowRange≤1.10.10

Source	Link
lists	www.lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E
packetstormsecurity	www.packetstormsecurity.com/files/162908/Apache-Airflow-1.10.10-Remote-Code-Execution.html
cisa	www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv
web	www.web.nvd.nist.gov/view/vuln/detail

24 Sep 2024 00:00Current

8.1High risk

Vulners AI Score8.1

CVSS 26.5

CVSS 38.8

EPSS0.94272