Closed frkngksl closed 6 months ago
tooryx
commented
7 months ago Hi @frkngksl,
Thanks for your request! This vulnerability is in scope for the reward program. Please submit our participation form and you can start working on the development.
Please keep in mind that the Tsunami Scanner Team will only be able to work at one issue at a time for each participant so please hold on the implementation work for any other requests you might have.
Thanks!
frkngksl
commented
7 months ago Hi @tooryx, I submitted the detector and docker files. Thanks in advance.
frkngksl
commented
6 months ago Hi @maoning, Is this issue can be counted as an AI PRP now?
maoning
commented
6 months ago @frkngksl I just noticed that your request here overlaps with an existing AI plugin request https://github.com/google/tsunami-security-scanner-plugins/issues/428. It's my fault of not noticing the overlap. I hope by using the new ai-bounty-prp tag, it would prevent similar issue from happening.
As the #428 has RCE verification, I will merge in that one instead. However I will make sure your other PRs are timely reviewed.
frkngksl
commented
6 months ago Hi @maoning, that issue was accepted last month and the CVE was specific for the lack of authentication in the experimental API. It is true that it can be combined with another CVE for RCE (as specified in the other issue RCE is valid for very specific DAG) but this API provides other functionalities. In my opinion, this should be considered as seperate, otherwise it is a little bit unfair (with all my respect) because I developed a plugin after getting an approval from you.
maoning
commented
6 months ago @frkngksl I would definitely want to prevent this from happening in the future and will discuss this with the entire review panel. You effort here is recognized.
In general, we prefer RCE based vuln verification for Tsunami plugins, while it's not always possible, we lean more towards finding fewer critical bugs than producing too many findings.
Hi there.
I would like to start implementing a plugin to detect CVE-2020-13927 Apache Airflow's Experimental API Authentication Bypass.
Reference: https://nvd.nist.gov/vuln/detail/CVE-2020-13927 https://packetstormsecurity.com/files/174764/Apache-Airflow-1.10.10-Remote-Code-Execution.html
Description: The previous default setting for Airflow's Experimental API was to allow all API requests without authentication, but this poses security risks to users who miss this fact.
Versions: Below Airflow version 1.10.11
I saw an issue related to this vulnerability, but it was old and no comment made. If you are interested with this vulnerability now, I can start its development. I'm planning to implement a detector that detects DAG creation part of the vulnerability which the mentioned CVE was given for.