Improper Input Validation in Apache Airflow resulting in Remote Code Execution · CVE-2017-15720 · GitHub Advisory Database · GitHub

Improper Input Validation in Apache Airflow resulting in Remote Code Execution

High severity GitHub Reviewed Published Jan 25, 2019 to the GitHub Advisory Database • Updated Mar 6, 2024

Package

apache-airflow (pip)

Affected versions

<= 1.8.2

Patched versions

1.9.0

Description

In Apache Airflow 1.8.2 and earlier, an authenticated user can execute code remotely on the Airflow webserver by creating a special object.

References

Published to the GitHub Advisory Database Jan 25, 2019

Reviewed Jun 16, 2020

Last updated Mar 6, 2024

Severity

High

8.8

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

Low

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H