You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@airflow.apache.org by Kaxil Naik <ka...@gmail.com> on 2020/12/21 15:33:14 UTC

CVE-2020-17526: Apache Airflow Incorrect Session Validation in Airflow Webserver with default config

Hi Airflow community,

Please find below the information about a vulnerability which has been
addressed in Apache Airflow v1.10.14.:

*CVE-2020-17526: Apache Airflow Incorrect Session Validation in Airflow
Webserver with default config*

*Description*:
In Airflow < 1.10.14,
Incorrect Session Validation in Airflow Webserver with default config
allows a malicious Airflow user on site A where they log in normally, to
access unauthorized Airflow Webserver on Site B through the session from
Site A.

This does not affect users who have changed the default value for
`[webserver] secret_key` config.


*Mitigation:*Change the default value for `[webserver] secret_key` config.

*Credits*:

Junghan Lee of Deliveryhero Korea Security Team



Thanks.
Kaxil @ Airflow PMC