2020-07-17 02:15:00 2020-07-22 19:15:00

An issue was found in Apache Airflow versions 1.10.10 and below. A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler (depending on the executor in use). If you already have examples disabled by setting load_examples=False in the config then you are not vulnerable.

Vector

NETWORK

Complexity

LOW

Authentication

SINGLE

Confidentiality

PARTIAL

Integrity

PARTIAL

Availability

PARTIAL