[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2020-17526: Apache Airflow Incorrect Session Validation in Airflow Webserver with
From: Kaxil Naik <kaxilnaik () apache ! org>
Date: 2020-12-21 15:38:42
Message-ID: CAH5JyZp9wzBdsWCFvG-FPOmDzLPx4xzyZE84AynWCsr_iMMaFQ () mail ! gmail ! com
[Download RAW message or body]
Versions Affected: < 1.10.14
*Description*:
Incorrect Session Validation in Airflow Webserver with default config
allows a malicious airflow user on site A where they log in normally, to
access unauthorized Airflow Webserver on Site B through the session from
Site A.
This does not affect users who have changed the default value for
`[webserver] secret_key` config.
*Mitigation*:
Change the default value for `[webserver] secret_key` config.
*Credit*:
Junghan Lee of Deliveryhero Korea Security Team
Thanks,
Kaxil,
on behalf of Apache Airflow PMC
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic