Command injection via Celery broker in Apache Airflow

An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker can connect to the broker Redis, RabbitMQ directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands...

Insecure Default

Overview apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Insecure Default. The celery broker acceptcontent setting was set to: 'json', 'pickle' by default, allowing deserialization of pickled messages,...