CVE-2020-11978

HIGH KEV NUCLEI LAB

Apache Airflow < 1.10.11 - OS Command Injection

Title source: rule

Description

An issue was found in Apache Airflow versions 1.10.10 and below. A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow which would allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler (depending on the executor in use). If you already have examples disabled by setting load_examples=False in the config then you are not vulnerable.

Exploits (3)

nomisec WORKING POC 8 stars
by pberba · remote
https://github.com/pberba/CVE-2020-11978
exploitdb WORKING POC
pythonwebappsmultiple
https://www.exploit-db.com/exploits/49927
metasploit WORKING POC EXCELLENT
by xuxiang, Pepe Berba, Ismail E. Dawoodjee · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/apache_airflow_dag_rce.rb

Nuclei Templates (1)

Apache Airflow <=1.10.10 - Remote Code Execution
HIGHVERIFIEDby pdteam
Shodan: title:"Airflow - DAGs" || http.html:"Apache Airflow" || http.title:"airflow - dags" || http.html:"apache airflow" || http.title:"sign in - airflow" || product:"redis"
FOFA: title="sign in - airflow" || apache airflow || title="airflow - dags" || http.html:"apache airflow"

References (4)

Scores

CVSS v3 8.8
EPSS 0.9430
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Lab Environment

COMMUNITY
Community Lab
docker pull apache/airflow:1.10.10

Details

CISA KEV 2022-01-18
VulnCheck KEV 2022-01-18
InTheWild.io 2021-09-17
ENISA EUVD EUVD-2020-0032
CWE
CWE-78
Status published
Products (2)
apache/airflow < 1.10.11
pypi/apache-airflow 0 - 1.10.11rc1PyPI
Published Jul 17, 2020
KEV Added Jan 18, 2022
Tracked Since Feb 18, 2026