Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2020-17526Improper Privilege Management in Software Foundation Apache Airflow

CWE-269Improper Privilege Management6 documents5 sources
Severity
7.7HIGHNVD
EPSS
91.5%
top 0.33%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Apache Software Foundation Apache AirflowApache Airflow
Timeline
PublishedDec 21
Latest updateApr 20

Description

Incorrect Session Validation in Apache Airflow Webserver versions prior to 1.10.14 with default config allows a malicious airflow user on site A where they log in normally, to access unauthorized Airflow Webserver on Site B through the session from Site A. This does not affect users who have changed the default value for `[webserver] secret_key` config.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:NExploitability: 3.1 | Impact: 4.0

Affected Packages2 packages

NVDapache/airflow< 1.10.14
CVEListV5apache_software_foundation/apache_airflowApache Airflow1.10.14

🔴Vulnerability Details

4
GHSA
Incorrect Session Validation in Apache Airflow2021-04-20
OSV
Incorrect Session Validation in Apache Airflow2021-04-20
CVEList
CVE-2020-17526: Incorrect Session Validation in Apache Airflow Webserver versions prior to 12020-12-21
OSV
CVE-2020-17526: Incorrect Session Validation in Apache Airflow Webserver versions prior to 12020-12-21

💥Exploits & PoCs

1
Nuclei
Apache Airflow <1.10.14 - Authentication Bypass
CVE-2020-17526 — Improper Privilege Management | cvebase