Vulnerability Description
Incorrect Session Validation in Apache Airflow Webserver versions prior to 1.10.14 with default config allows a malicious airflow user on site A where they log in normally, to access unauthorized Airflow Webserver on Site B through the session from Site A. This does not affect users who have changed the default value for `[webserver] secret_key` config.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Airflow | < 1.10.14 |
References
- http://www.openwall.com/lists/oss-security/2020/12/21/1Mailing ListThird Party Advisory
- https://lists.apache.org/thread.html/r466759f377651f0a690475d5a52564d0e786e82c08
- https://lists.apache.org/thread.html/rbeeb73a6c741f2f9200d83b9c2220610da314810c4Mailing ListVendor Advisory
- http://www.openwall.com/lists/oss-security/2020/12/21/1Mailing ListThird Party Advisory
- https://lists.apache.org/thread.html/r466759f377651f0a690475d5a52564d0e786e82c08
- https://lists.apache.org/thread.html/rbeeb73a6c741f2f9200d83b9c2220610da314810c4Mailing ListVendor Advisory
FAQ
What is CVE-2020-17526?
CVE-2020-17526 is a vulnerability with a CVSS score of 7.7 (HIGH). Incorrect Session Validation in Apache Airflow Webserver versions prior to 1.10.14 with default config allows a malicious airflow user on site A where they log in normally, to access unauthorized Airf...
How severe is CVE-2020-17526?
CVE-2020-17526 has been rated HIGH with a CVSS base score of 7.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-17526?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Airflow.