Skip to content
Nuclei Templates

Apache Airflow OS Command Injection

ID: CVE-2022-24288

Severity: high

Author: xeldax

Tags: cve,cve2022,airflow,rce,apache

Description

Section titled “Description”

Apache Airflow prior to version 2.2.4 is vulnerable to OS command injection attacks because some example DAGs do not properly sanitize user-provided parameters, making them susceptible to OS Command Injection from the web UI.

YAML Source

Section titled “YAML Source”
id: CVE-2022-24288


info:
  name: Apache Airflow OS Command Injection
  author: xeldax
  severity: high
  description: Apache Airflow prior to version 2.2.4 is vulnerable to OS command injection attacks because some example DAGs do not properly sanitize user-provided parameters, making them susceptible to OS Command Injection from the web UI.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the target system.
  remediation: |
    Apply the latest security patches or upgrade to a patched version of Apache Airflow.
  reference:
    - https://github.com/advisories/GHSA-3v7g-4pg3-7r6j
    - https://nvd.nist.gov/vuln/detail/CVE-2022-24288
    - https://lists.apache.org/thread/dbw5ozcmr0h0lhs0yjph7xdc64oht23t
    - https://github.com/ARPSyndicate/kenzer-templates
    - https://github.com/Hax0rG1rl/my_cve_and_bounty_poc
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2022-24288
    cwe-id: CWE-78
    epss-score: 0.81676
    epss-percentile: 0.98279
    cpe: cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: apache
    product: airflow
    shodan-query:
      - title:"Airflow - DAGs" || http.html:"Apache Airflow"
      - http.title:"airflow - dags" || http.html:"apache airflow"
      - http.title:"sign in - airflow"
      - product:"redis"
    fofa-query:
      - title="sign in - airflow"
      - apache airflow
      - title="airflow - dags" || http.html:"apache airflow"
    google-query:
      - intitle:"sign in - airflow"
      - intitle:"airflow - dags" || http.html:"apache airflow"
  tags: cve,cve2022,airflow,rce,apache


http:
  - method: GET
    path:
      - "{{BaseURL}}/admin/airflow/code?root=&dag_id=example_passing_params_via_test_command"
      - "{{BaseURL}}/code?dag_id=example_passing_params_via_test_command"


    stop-at-first-match: true
    matchers:
      - type: word
        words:
          - 'foo was passed in via Airflow CLI Test command with value {{ params.foo }}' # Works with unauthenticated airflow instance
# digest: 490a0046304402201b291b5d74074729fdf3d0ce0b4670adaad9fd690bfcf9c4579c3b96f106c3000220693a23c6c96c681ccc195c321b55bc248bfc610b51cda53040d6ddcaf5ef6b21:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2022/CVE-2022-24288.yaml"

View on Github