Date: Mon, 21 Dec 2020 15:38:42 +0000 From: Kaxil Naik <kaxilnaik@...che.org> To: oss-security@...ts.openwall.com Cc: users@...flow.apache.org Subject: CVE-2020-17526: Apache Airflow Incorrect Session Validation in Airflow Webserver with default config Versions Affected: < 1.10.14 *Description*: Incorrect Session Validation in Airflow Webserver with default config allows a malicious airflow user on site A where they log in normally, to access unauthorized Airflow Webserver on Site B through the session from Site A. This does not affect users who have changed the default value for `[webserver] secret_key` config. *Mitigation*: Change the default value for `[webserver] secret_key` config. *Credit*: Junghan Lee of Deliveryhero Korea Security Team Thanks, Kaxil, on behalf of Apache Airflow PMC
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.