#VU49123 Use of hard-coded credentials in Apache Airflow - CVE-2020-17526

Cybersecurity Help s.r.o.

Published: 2020-12-21 | Updated: 2020-12-23

Vulnerability identifier: #VU49123

Vulnerability risk: High

CVSSv4.0: 8 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-17526

CWE-ID: CWE-798

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Apache Airflow
Web applications / Modules and components for CMS

Vendor: Apache Foundation

Description

The vulnerability allows a remote attacker to gain full access to vulnerable application.

The vulnerability exists due to Apache Airflow relies on session management based on the default [webserver] secret_key value. A remote attacker, who successfully authenticated at one website can re-use the same session to authenticate on another unrelated website, if both web servers are configured with the default [webserver] secret_key value.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Apache Airflow: 1.0.0 - 1.10.13

External links
https://www.openwall.com/lists/oss-security/2020/12/21/1
https://lists.apache.org/thread.html/rbeeb73a6c741f2f9200d83b9c2220610da314810c4e8c9cf881d47ef%40%3Cusers.airflow.apache.org%3E

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

Latest bulletins with this vulnerability

Multiple vulnerabilities in Fortinet FortiAnalyzer

Hardcoded session secret key in Apache Airflow