{"containers":{"cna":{"affected":[{"product":"Apache Airflow","vendor":"Apache Software Foundation","versions":[{"lessThan":"1.10.14","status":"affected","version":"Apache Airflow","versionType":"custom"}]}],"credits":[{"lang":"en","value":"Junghan Lee of Deliveryhero Korea Security Team"}],"descriptions":[{"lang":"en","value":"Incorrect Session Validation in Apache Airflow Webserver versions prior to 1.10.14 with default config allows a malicious airflow user on site A where they log in normally, to access unauthorized Airflow Webserver on Site B through the session from Site A. This does not affect users who have changed the default value for `[webserver] secret_key` config."}],"problemTypes":[{"descriptions":[{"description":"Incorrect Session Validation in Airflow Webserver with default config","lang":"en","type":"text"}]}],"providerMetadata":{"dateUpdated":"2024-08-04T14:01:40.000Z","orgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","shortName":"apache"},"references":[{"tags":["x_refsource_MISC"],"url":"https://lists.apache.org/thread.html/rbeeb73a6c741f2f9200d83b9c2220610da314810c4e8c9cf881d47ef%40%3Cusers.airflow.apache.org%3E"},{"name":"[oss-security] 20201221 CVE-2020-17526: Apache Airflow Incorrect Session Validation in Airflow Webserver with default config","tags":["mailing-list","x_refsource_MLIST"],"url":"http://www.openwall.com/lists/oss-security/2020/12/21/1"},{"name":"[announce] 20210623 Success at Apache: Security in Practice","tags":["mailing-list","x_refsource_MLIST"],"url":"https://lists.apache.org/thread.html/r466759f377651f0a690475d5a52564d0e786e82c08d5a5730a4f8352%40%3Cannounce.apache.org%3E"}],"source":{"discovery":"UNKNOWN"},"workarounds":[{"lang":"en","value":"Change the default value for `[webserver] secret_key` config."}],"x_generator":{"engine":"Vulnogram 0.0.9"},"x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"security@apache.org","ID":"CVE-2020-17526","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Apache Airflow","version":{"version_data":[{"version_affected":"<","version_name":"Apache Airflow","version_value":"1.10.14"}]}}]},"vendor_name":"Apache Software Foundation"}]}},"credit":[{"lang":"eng","value":"Junghan Lee of Deliveryhero Korea Security Team"}],"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Incorrect Session Validation in Apache Airflow Webserver versions prior to 1.10.14 with default config allows a malicious airflow user on site A where they log in normally, to access unauthorized Airflow Webserver on Site B through the session from Site A. This does not affect users who have changed the default value for `[webserver] secret_key` config."}]},"generator":{"engine":"Vulnogram 0.0.9"},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Incorrect Session Validation in Airflow Webserver with default config"}]}]},"references":{"reference_data":[{"name":"https://lists.apache.org/thread.html/rbeeb73a6c741f2f9200d83b9c2220610da314810c4e8c9cf881d47ef%40%3Cusers.airflow.apache.org%3E","refsource":"MISC","url":"https://lists.apache.org/thread.html/rbeeb73a6c741f2f9200d83b9c2220610da314810c4e8c9cf881d47ef%40%3Cusers.airflow.apache.org%3E"},{"name":"[oss-security] 20201221 CVE-2020-17526: Apache Airflow Incorrect Session Validation in Airflow Webserver with default config","refsource":"MLIST","url":"http://www.openwall.com/lists/oss-security/2020/12/21/1"},{"name":"[announce] 20210623 Success at Apache: Security in Practice","refsource":"MLIST","url":"https://lists.apache.org/thread.html/r466759f377651f0a690475d5a52564d0e786e82c08d5a5730a4f8352@%3Cannounce.apache.org%3E"}]},"source":{"discovery":"UNKNOWN"},"work_around":[{"lang":"en","value":"Change the default value for `[webserver] secret_key` config."}]}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-04T14:00:47.524Z"},"title":"CVE Program Container","references":[{"tags":["x_refsource_MISC","x_transferred"],"url":"https://lists.apache.org/thread.html/rbeeb73a6c741f2f9200d83b9c2220610da314810c4e8c9cf881d47ef%40%3Cusers.airflow.apache.org%3E"},{"name":"[oss-security] 20201221 CVE-2020-17526: Apache Airflow Incorrect Session Validation in Airflow Webserver with default config","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"http://www.openwall.com/lists/oss-security/2020/12/21/1"},{"name":"[announce] 20210623 Success at Apache: Security in Practice","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"https://lists.apache.org/thread.html/r466759f377651f0a690475d5a52564d0e786e82c08d5a5730a4f8352%40%3Cannounce.apache.org%3E"}]}]},"cveMetadata":{"assignerOrgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","assignerShortName":"apache","cveId":"CVE-2020-17526","datePublished":"2020-12-21T16:45:13.000Z","dateReserved":"2020-08-12T00:00:00.000Z","dateUpdated":"2025-02-13T16:27:35.877Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"}