Summary
A flaw in Amazon Managed Workflows for Apache Airflow (MWAA) could have allowed potential session hijacking and remote code execution.
The issue stemmed from a combination of session fixation in the MWAA web management panel and an AWS domain configuration error leading
to a cross-site scripting (XSS) attack. Attackers exploiting this could manipulate victims' configurations, trigger workflows, and
potentially move laterally to other services within the cloud environment. The exploit of this bug involved deploying malicious code
via an Amazon API Gateway that interacts with the victim’s Airflow instance, setting a session cookie that bypasses normal authentication
and grants the attacker access.
Affected Services
MWAA
Remediation
None required
Tracked CVEs
No tracked CVEs
References
Contributed by https://github.com/mer-b
Disclosure Date
-
Exploitablity Period
-
Known ITW Exploitation
-
Detection Methods
-
Piercing Index Rating
-
Discovered by
Liv Matan, Tenable
