Skip to content
Nuclei Templates

Airflow Experimental <1.10.11 - REST API Auth Bypass

ID: CVE-2020-13927

Severity: critical

Author: pdteam

Tags: cve2020,cve,packetstorm,apache,airflow,unauth,auth-bypass,kev

Description

Section titled “Description”

Airflow’s Experimental API prior 1.10.11 allows all API requests without authentication.

YAML Source

Section titled “YAML Source”
id: CVE-2020-13927


info:
  name: Airflow Experimental <1.10.11 - REST API Auth Bypass
  author: pdteam
  severity: critical
  description: |
    Airflow's Experimental API prior 1.10.11 allows all API requests without authentication.
  impact: |
    Allows unauthorized access to Airflow Experimental REST API
  remediation: |
    From Airflow 1.10.11 forward, the default has been changed to deny all requests by default.  Note - this change fixes it for new installs but existing users need to change their config to default `[api]auth_backend = airflow.api.auth.backend.deny_all` as mentioned in the Updating Guide linked in the references.
  reference:
    - https://lists.apache.org/thread.html/r23a81b247aa346ff193670be565b2b8ea4b17ddbc7a35fc099c1aadd%40%3Cdev.airflow.apache.org%3E
    - http://packetstormsecurity.com/files/162908/Apache-Airflow-1.10.10-Remote-Code-Execution.html
    - https://airflow.apache.org/docs/1.10.11/security.html#api-authenticatio
    - https://nvd.nist.gov/vuln/detail/CVE-2020-13927
    - http://packetstormsecurity.com/files/174764/Apache-Airflow-1.10.10-Remote-Code-Execution.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-13927
    cwe-id: CWE-1188
    epss-score: 0.96667
    epss-percentile: 0.99637
    cpe: cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: apache
    product: airflow
    shodan-query:
      - title:"Airflow - DAGs" || http.html:"Apache Airflow"
      - http.title:"airflow - dags" || http.html:"apache airflow"
      - http.title:"sign in - airflow"
      - product:"redis"
    fofa-query:
      - title="sign in - airflow"
      - apache airflow
      - title="airflow - dags" || http.html:"apache airflow"
    google-query:
      - intitle:"sign in - airflow"
      - intitle:"airflow - dags" || http.html:"apache airflow"
  tags: cve2020,cve,packetstorm,apache,airflow,unauth,auth-bypass,kev


http:
  - method: GET
    path:
      - '{{BaseURL}}/api/experimental/latest_runs'


    matchers:
      - type: word
        part: body
        words:
          - '"dag_run_url":'
          - '"dag_id":'
          - '"items":'
        condition: and
# digest: 4a0a004730450220479e44e06726b9a74fa380fe8b643e3ae263ed5f69a699bca2422bf29e8c8cc9022100cdc1285ae37dc468c1663ef4b593bc9c1ddbdcc489e3c67a690c44c0f27c0e69:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2020/CVE-2020-13927.yaml"

View on Github