CVE-2020-17526: Apache Airflow Incorrect Session Validation Vulnerability Alert

Airflow is a platform created by the community to programmatically author, schedule, and monitor workflows. Recently, an email notice issued by Apache disclosed the Apache Airflow Incorrect Session Validation in Airflow Webserver with default config vulnerability, which corresponds to CVE-2020-17526. An attacker can use this vulnerability to gain unauthorized access.

Vulnerability Detail

Incorrect Session Validation in Airflow Webserver with default config allows a malicious airflow user on site A where they log in normally, to access unauthorized Airflow Webserver on Site B through the session from
Site A.

Affected version

  • Apache Airflow <1.10.14

Solution

Currently, Apache has released a security version to fix this vulnerability, and it is recommended that affected users upgrade to version 1.10.14 and above in time.