Published: 10/11/2020 Updated: 14/02/2024

CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10

CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9

VMScore: 790

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

The previous default setting for Airflow's Experimental API was to allow all API requests without authentication, but this poses security risks to users who miss this fact. From Airflow 1.10.11 the default has been changed to deny all requests by default and is documented at airflow.apache.org/docs/1.10.11/security.html#api-authentication. Note this change fixes it for new installs but existing users need to change their config to default `[api]auth_backend = airflow.api.auth.backend.deny_all` as mentioned in the Updating Guide: github.com/apache/airflow/blob/1.10.11/UPDATING.md#experimental-api-will-deny-all-request-by-default

Vulnerable Product	Search on Vulmon	Subscribe to Product
apache airflow

This Metasploit module exploits an unauthenticated command injection vulnerability by combining two critical vulnerabilities in Apache Airflow version 11010 The first, CVE-2020-11978, is an authenticated command injection vulnerability found in one of Airflow's example DAGs, "example_trigger_target_dag", which allows any authenticated user to ru ...

Apache Airflow versions 11010 and below suffer from a remote code execution vulnerability ...

This module exploits an unauthenticated command injection vulnerability by combining two critical vulnerabilities in Apache Airflow 11010 The first, CVE-2020-11978, is an authenticated command injection vulnerability found in one of Airflow's example DAGs, "example_trigger_target_dag", which allows any aut ...

oss-sec mailing list archives   By Date By Thread </form>    [CVE-2020-13927] - Insecure Default Configuration for Experimental API in Airflow < 11011  <!- ...

This module exploits an unauthenticated command injection vulnerability by combining two critical vulnerabilities in Apache Airflow 1.10.10. The first, CVE-2020-11978, is an authenticated command injection vulnerability found in one of Airflow's example DAGs, "example_trigger_target_dag", which allows any authenticated user to run arbitrary OS commands as the user running Airflow Worker/Scheduler. The second, CVE-2020-13927, is a default setting of Airflow 1.10.10 that allows unauthenticated access to Airflow's Experimental REST API to perform malicious actions such as creating the vulnerable DAG above. The two CVEs taken together allow vulnerable DAG creation and command injection, leading to unauthenticated remote code execution.

msf > use exploit/linux/http/apache_airflow_dag_rce
msf exploit(apache_airflow_dag_rce) > show targets
    ...targets...
msf exploit(apache_airflow_dag_rce) > set TARGET < target-id >
msf exploit(apache_airflow_dag_rce) > show options
    ...show and set options...
msf exploit(apache_airflow_dag_rce) > exploit

PoC of how to exploit a RCE vulnerability of the example DAGs in Apache Airflow <1.10.11

CVE-2020-11978: Remote code execution in Apache Airflow's Example DAGs Information Description: This vulnerability allows RCE when Airflow's example DAGs are loaded, potentially unauthenticated with CVE-2020-13927 CVE Credit: xuxiang of DtDream security Versions Affected: <11011 Disclosure Link: listsapacheorg/threadhtml/r7255cf0be3566f23a768e2a04

CWE-306 CWE-1188 https://lists.apache.org/thread.html/r23a81b247aa346ff193670be565b2b8ea4b17ddbc7a35fc099c1aadd%40%3Cdev.airflow.apache.org%3E http://packetstormsecurity.com/files/162908/Apache-Airflow-1.10.10-Remote-Code-Execution.html http://packetstormsecurity.com/files/174764/Apache-Airflow-1.10.10-Remote-Code-Execution.html https://nvd.nist.gov https://github.com/pberba/CVE-2020-11978 https://packetstormsecurity.com/files/174764/Apache-Airflow-1.10.10-Remote-Code-Execution.html

CVE-2020-13927

Vulnerability Summary

Vulnerability Trend

Exploits

Mailing Lists

Metasploit Modules

Github Repositories

References

Vulmon Search

About

Products

Connect