oss-sec mailing list archives

CVE-2020-17526: Apache Airflow Incorrect Session Validation in Airflow Webserver with default config

From: Kaxil Naik <kaxilnaik () apache org>
Date: Mon, 21 Dec 2020 15:38:42 +0000

Versions Affected: < 1.10.14

*Description*:
Incorrect Session Validation in Airflow Webserver with default config
allows a malicious airflow user on site A where they log in normally, to
access unauthorized Airflow Webserver on Site B through the session from
Site A.

This does not affect users who have changed the default value for
`[webserver] secret_key` config.

*Mitigation*:
Change the default value for `[webserver] secret_key` config.

*Credit*:
Junghan Lee of Deliveryhero Korea Security Team

Thanks,
Kaxil,
on behalf of Apache Airflow PMC

Current thread:

CVE-2020-17526: Apache Airflow Incorrect Session Validation in Airflow Webserver with default config Kaxil Naik (Dec 21)