CVE-2020-17526

Name of the Vulnerable Software and Affected Versions Apache Airflow versions prior to 1.10.14

Description The issue is related to incorrect session validation in the Apache Airflow web server, caused by the use of a default configuration that includes a pre-set secret key. This allows a malicious user to access an unauthorized Airflow web server on a different site using a session from the original site. The problem arises from the use of a temporary key in the default airflow.cfg configuration file, which is the same for all installations. As a result, a session cookie validated on one Airflow server is also valid for another server.

Recommendations For Apache Airflow versions prior to 1.10.14, change the default value for the [webserver] secret key configuration to prevent unauthorized access. As a temporary workaround, consider restricting access to the Airflow web server until the issue is resolved.