CVE-2023-39441

Name of the Vulnerable Software and Affected Versions Apache Airflow versions prior to 2.7.0 Apache Airflow SMTP Provider versions prior to 1.3.0 Apache Airflow IMAP Provider versions prior to 3.3.0

Description The issue is related to the validation of OpenSSL certificates. The default SSL context with the SSL library did not check a server's X.509 certificate, instead accepting any certificate. This could result in the disclosure of mail server credentials or mail contents when the client connects to an attacker in a MITM position.

Recommendations For Apache Airflow versions prior to 2.7.0, upgrade to Apache Airflow version 2.7.0 or newer. For Apache Airflow SMTP Provider versions prior to 1.3.0, upgrade to Apache Airflow SMTP Provider version 1.3.0 or newer. For Apache Airflow IMAP Provider versions prior to 3.3.0, upgrade to Apache Airflow IMAP Provider version 3.3.0 or newer.