'[oss-security] CVE-2020-17526: Apache Airflow Incorrect Session Validation in Airflow Webserver with'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2020-17526: Apache Airflow Incorrect Session Validation in Airflow Webserver with
From:       Kaxil Naik <kaxilnaik () apache ! org>
Date:       2020-12-21 15:38:42
Message-ID: CAH5JyZp9wzBdsWCFvG-FPOmDzLPx4xzyZE84AynWCsr_iMMaFQ () mail ! gmail ! com
[Download RAW message or body]

Versions Affected: < 1.10.14

*Description*:
Incorrect Session Validation in Airflow Webserver with default config
allows a malicious airflow user on site A where they log in normally, to
access unauthorized Airflow Webserver on Site B through the session from
Site A.

This does not affect users who have changed the default value for
`[webserver] secret_key` config.

*Mitigation*:
Change the default value for `[webserver] secret_key` config.

*Credit*:
Junghan Lee of Deliveryhero Korea Security Team

Thanks,
Kaxil,
on behalf of Apache Airflow PMC

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic