Sept. 19, 2023, 4 p.m. |

Packet Storm

This Metasploit module exploits an unauthenticated command injection vulnerability by combining two critical vulnerabilities in Apache Airflow version 1.10.10. The first, CVE-2020-11978, is an authenticated command injection vulnerability found in one of Airflow's example DAGs, "example_trigger_target_dag", which allows any authenticated user to run arbitrary OS commands as the user running Airflow Worker/Scheduler. The second, CVE-2020-13927, is a default setting of Airflow 1.10.10 that allows unauthenticated access to Airflow's Experimental REST API to perform malicious actions such as creating the vulnerable …

airflow apache code code execution command command injection critical critical vulnerabilities cve exploits found injection metasploit remote code remote code execution run running scheduler unauthenticated version version 1 vulnerabilities vulnerability worker

Business Information Security Officer

@ Metrolink | Los Angeles, CA

Senior Security Engineer

@ Freedom of the Press Foundation | Remote, 4 hour time zone overlap with New York City

Security Engineer

@ ChartMogul | Remote, EU

Senior Threat Engineer

@ Zscaler | Tel Aviv-Yafo, Israel

Information Security Communication Specialist

@ MicroStrategy | Mumbai, India

Principal Software Engineer (Network Security - SASE)

@ Palo Alto Networks | Santa Clara, CA, United States