CVE-2020-17526

Summary

Incorrect Session Validation in Apache Airflow Webserver versions prior to 1.10.14 with default config allows a malicious airflow user on site A where they log in normally, to access unauthorized Airflow Webserver on Site B through the session from Site A. This does not affect users who have changed the default value for [webserver] secret_key config.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache AirflowApache Airflow < 1.10.14affected

Weaknesses

  • Incorrect Session Validation in Airflow Webserver with default config

Workarounds

Change the default value for [webserver] secret_key config.

ADP Enrichment

CVE Program Container

Additional References

References