Warning: Combination of existing vulnerabilities in Apache Airflow version 1.10.10 can lead to unauthenticated Remote Code Execution. Verify your systems and update!

Reference:
Advisory #2023-112

Version:
1.0

Affected software:
Apache Airflow version 1.10.10

Type:
Remote Code Execution (RCE)

CVE/CVSS:
CVE-2020-11978
→ CVSS Score: 8.8 HIGH
→ CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2020-13927
→ CVSS Score: 9.8 CRITICAL
→ CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Sources

CVE-2020-11978: https://lists.apache.org/thread/cn57zwylxsnzjyjztwqxpmly0x9q5ljx
CVE-2020-13927: https://lists.apache.org/thread/mq1bpqf3ztg1nhyc5qbrjobfrzttwx1d

Risks

A Metasploit module has become available combining critical vulnerabilities CVE-2020-11978 and CVE-2020-13927 which allows for vulnerable DAG (Directed Acyclic Graph) creation and command injection in Apache Airflow version 1.10.10.

As Apache is widely used, the Centre for Cybersecurity Belgium recommends system administrators to patch vulnerable systems as soon as possible and to analyze system and network logs for any suspicious activity. If your organization has already identified an intrusion or incident, please report it via: https://cert.be/en/report-incident.

Recommended Actions

The Centre for Cybersecurity Belgium strongly recommends system administrators to upgrade to the latest version of Apache Airflow.

References

https://nvd.nist.gov/vuln/detail/CVE-2020-11978

https://nvd.nist.gov/vuln/detail/CVE-2020-13927