Apache Airflow Docker’s Provider shipped with an example DAG that was vulnerable to (authenticated) remote code exploit of code on the Airflow worker host.
##Vulnerability summary:
In DAG script of airflow 2.3.3, there is a command injection vulnerability (RCE) in the script (example_docker_copy_data.py of docker provider), which can obtain the permission of the operating system.
source path:
airflow-2.3.3/airflow/providers/docker/example_dags/example_docker_copy_data.py
##Vulnerability details:
(1) Vulnerability principle:
{F1869746}
{F1869748}
(2)Vulnerability exploit:
http://192.168.3.17:8080/trigger?dag_id=docker_sample_copy_data
{F1869749}
{F1869750}
PAYLOAD:{"source_location":";touch /tmp/thisistest;"}
, Then click trigger to execute the task.
{F1869755}
The final command is as follows:
find ;touch /tmp/thisistest; -type f -printf “%f\n” | head -1
“””
Through the log and server view, it can be seen that arbitrary command has been executed successfully.
{F1869756}
{F1869757}
An attacker can execute arbitrary commands on the airflow host.