Arbitrary Code Execution Affecting airflow package, versions [0.1,]

Snyk CVSS

Attack Complexity Low

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-PYTHON-AIRFLOW-40616
published 3 Mar 2017
disclosed 3 Mar 2017
credit Unknown

Report a new vulnerability Found a mistake?

Introduced: 3 Mar 2017

CWE-94 Open this link in a new tab

Overview

airflow is a Programmatically author, schedule and monitor data pipelines.

Affected versions of this package are vulnerable to Arbitrary Code Execution. User input is sent unchecked to the the python eval function which directly executes the parameters. Any user who can create or edit charts may execute arbitrary code on the server.

References

Jira Issue
GitHub PR
GitHub Commit