Homepage
About Snyk

Arbitrary Code Execution Affecting airflow package, versions [0.1,]

Severity

 Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PYTHON-AIRFLOW-40616
  • published 3 Mar 2017
  • disclosed 3 Mar 2017
  • credit Unknown
Report a new vulnerability Found a mistake?

Introduced: 3 Mar 2017

CVE NOT AVAILABLE CWE-94 Open this link in a new tab

Overview

airflow is a Programmatically author, schedule and monitor data pipelines.

Affected versions of this package are vulnerable to Arbitrary Code Execution. User input is sent unchecked to the the python eval function which directly executes the parameters. Any user who can create or edit charts may execute arbitrary code on the server.

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
7.3 high
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    Low
  • Integrity (I)
    Low
  • Availability (A)
    Low