FlowFixation
Published Thu, Mar 21st, 2024
Platforms
Summary
A flaw in Amazon Managed Workflows for Apache Airflow (MWAA) could have allowed potential session hijacking and remote code execution. The issue stemmed from a combination of session fixation in the MWAA web management panel and an AWS domain configuration error leading to a cross-site scripting (XSS) attack. Attackers exploiting this could manipulate victims' configurations, trigger workflows, and potentially move laterally to other services within the cloud environment. The exploit of this bug involved deploying malicious code via an Amazon API Gateway that interacts with the victim’s Airflow instance, setting a session cookie that bypasses normal authentication and grants the attacker access.
Affected Services
MWAA
Remediation
None required
Tracked CVEs
No tracked CVEs
References
Contributed by https://github.com/mer-b
Entry Status
Finalized
Disclosure Date
-
Exploitability Period
-
Known ITW Exploitation
-
Detection Methods
None
Piercing Index Rating
-
Discovered by
Liv Matan, Tenable
