Command injection via Celery broker in Apache Airflow

2020-07-27T16:57:33
ID GHSA-976R-QFJJ-C24W
Type github
Reporter GitHub Advisory Database
Modified 2020-07-27T16:57:33

Description

An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker can connect to the broker (Redis, RabbitMQ) directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands.