====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN700
_____________________________________________________________________

DATE                : 22/12/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Airflow versions prior to
                                         1.10.14.

=====================================================================
http://mail-archives.apache.org/mod_mbox/airflow-users/202012.mbox/%3cCAH5JyZp9wzBdsWCFvG-FPOmDzLPx4xzyZE84AynWCsr_iMMaFQ@mail.gmail.com%3e
_____________________________________________________________________


Versions Affected: < 1.10.14

*Description*:
Incorrect Session Validation in Airflow Webserver with default config
allows a malicious airflow user on site A where they log in normally, to
access unauthorized Airflow Webserver on Site B through the session from
Site A.

This does not affect users who have changed the default value for
`[webserver] secret_key` config.

*Mitigation*:
Change the default value for `[webserver] secret_key` config.

*Credit*:
Junghan Lee of Deliveryhero Korea Security Team

Thanks,
Kaxil,
on behalf of Apache Airflow PMC


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================