#VU31686 Insecure Default Variable Initialization in Apache Airflow - CVE-2020-11982
Published: July 20, 2020
Vulnerability identifier: #VU31686
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/U:Green
CVE-ID: CVE-2020-11982
CWE-ID: CWE-453
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Apache Airflow
Apache Airflow
Software vendor:
Apache Foundation
Apache Foundation
Description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to the affected software, by default, initializes an internal variable with an insecure or less secure value than is possible. A remote authenticated attacker who can connect to the broker (Redis, RabbitMQ) directly can pass specially crafted data to the application and execute arbitrary code on the target system.
Remediation
Install updates from vendor's website.