Warning: Combination of existing vulnerabilities in Apache Airflow version 1.10.10 can lead to unauthenticated Remote Code Execution. Verify your systems and update!
- CVSS Score: 8.8 HIGH
- CVSS Score: 9.8 CRITICAL
A Metasploit module has become available combining critical vulnerabilities CVE-2020-11978 and CVE-2020-13927 which allows for vulnerable DAG (Directed Acyclic Graph) creation and command injection in Apache Airflow version 1.10.10.
As Apache is widely used, the Centre for Cybersecurity Belgium recommends system administrators to patch vulnerable systems as soon as possible and to analyze system and network logs for any suspicious activity. If your organization has already identified an intrusion or incident, please report it via: https://cert.be/en/report-incident.
The Centre for Cybersecurity Belgium strongly recommends system administrators to upgrade to the latest version of Apache Airflow.