oss-sec mailing list archives
CVE-2020-17526: Apache Airflow Incorrect Session Validation in Airflow Webserver with default config
From: Kaxil Naik <kaxilnaik () apache org>
Date: Mon, 21 Dec 2020 15:38:42 +0000
Versions Affected: < 1.10.14 *Description*: Incorrect Session Validation in Airflow Webserver with default config allows a malicious airflow user on site A where they log in normally, to access unauthorized Airflow Webserver on Site B through the session from Site A. This does not affect users who have changed the default value for `[webserver] secret_key` config. *Mitigation*: Change the default value for `[webserver] secret_key` config. *Credit*: Junghan Lee of Deliveryhero Korea Security Team Thanks, Kaxil, on behalf of Apache Airflow PMC
Current thread:
- CVE-2020-17526: Apache Airflow Incorrect Session Validation in Airflow Webserver with default config Kaxil Naik (Dec 21)