漏洞描述
攻击者可以创建与目标相同版本的本地安装,以管理员身份登录并将会话cookie重播到目标以在远程计算机上以管理员身份登录。 在这种情况下,可以使用工具来解密和识别明文 json 字符串,然后更新user_id参数并将 cookie 重新发送到服务器以模拟指定了user_id的用户。
Apache Airflow admin 未授权访问漏洞 (CVE-2020-17526)
PoC代码
暂无相关漏洞推荐
-
CVE-2020-17526: Apache Airflow <1.10.14 - Authentication Bypass POC
2025-09-01 | Apache AirflowApache Airflow prior to 1.10.14 contains an authentication bypass vulnerability via incorrect sessio... -
CVE-2020-11978: Apache Airflow <=1.10.10 - Remote Code Execution POC
2025-08-01 | Apache AirflowApache Airflow versions 1.10.10 and below are vulnerable to remote code/command injection vulnerabil... -
CVE-2020-17526: Apache Airflow <1.10.14 - Authentication Bypass POC
2025-08-01 | Apache AirflowApache Airflow prior to 1.10.14 contains an authentication bypass vulnerability via incorrect sessio... -
CVE-2020-10199: Nexus Repository before 3.21.2 allows JavaEL Injection POC
2025-09-01 | Nexus Repository漏洞触发需要任意账户权限 body="Nexus Repository Manager" app="Nexus-Repository-Manager" -
CVE-2020-11455: LimeSurvey 4.1.11 - Path Traversal POC
2025-09-01 | LimeSurveyLimeSurvey before 4.1.12+200324 contains a path traversal vulnerability in application/controllers/a...