QwikSec

Security Database

CVE

CWE

Training

CVE-2020-17526

Published: Dec 21, 2020

Modified: Feb 13, 2025

PUBLISHED

Description

Incorrect Session Validation in Apache Airflow Webserver versions prior to 1.10.14 with default config allows a malicious airflow user on site A where they log in normally, to access unauthorized Airflow Webserver on Site B through the session from Site A. This does not affect users who have changed the default value for `[webserver] secret_key` config.

Vendor	Product	Versions
Apache Software Foundation	Apache Airflow	affected `Apache Airflow - < 1.10.14`

References

https://lists.apache.org/thread.html/rbeeb73a6c741f2f9200d83b9c2220610da314810c4e8c9cf881d47ef%40%3Cusers.airflow.apache.org%3E

x_refsource_MISC

[oss-security] 20201221 CVE-2020-17526: Apache Airflow Incorrect Session Validation in Airflow Webserver with default config

mailing-list

x_refsource_MLIST

[announce] 20210623 Success at Apache: Security in Practice

mailing-list

x_refsource_MLIST

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.