Insecure Default Variable Initialization in Apache Airflow - CVE-2020-11982

 

Insecure Default Variable Initialization in Apache Airflow - CVE-2020-11982

Published: July 20, 2020


Vulnerability identifier: #VU31686
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/U:Green
CVE-ID: CVE-2020-11982
CWE-ID: CWE-453
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Apache Foundation
Affected software:
Apache Airflow

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to the affected software, by default, initializes an internal variable with an insecure or less secure value than is possible. A remote authenticated attacker who can connect to the broker (Redis, RabbitMQ) directly can pass specially crafted data to the application and execute arbitrary code on the target system.


How to mitigate CVE-2020-11982

Install updates from vendor's website.

Sources