Airflow is a platform created by the community to programmatically author, schedule, and monitor workflows. Recently, an email notice issued by Apache disclosed the Apache Airflow Incorrect Session Validation in Airflow Webserver with default config vulnerability, which corresponds to CVE-2020-17526. An attacker can use this vulnerability to gain unauthorized access.
Incorrect Session Validation in Airflow Webserver with default config allows a malicious airflow user on site A where they log in normally, to access unauthorized Airflow Webserver on Site B through the session from
- Apache Airflow <1.10.14
Currently, Apache has released a security version to fix this vulnerability, and it is recommended that affected users upgrade to version 1.10.14 and above in time.