PT-2023-4588 · Apache+1 · Apache Airflow Ftp Provider+3
Martin Schobert
·
Published
2023-08-23
·
Updated
2024-03-06
·
CVE-2023-39441
CVSS v3.1
5.9
Medium
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Apache Airflow versions prior to 2.7.0
Apache Airflow SMTP Provider versions prior to 1.3.0
Apache Airflow IMAP Provider versions prior to 3.3.0
Description
The issue is related to the validation of OpenSSL certificates. The default SSL context with the SSL library did not check a server's X.509 certificate, instead accepting any certificate. This could result in the disclosure of mail server credentials or mail contents when the client connects to an attacker in a MITM position.
Recommendations
For Apache Airflow versions prior to 2.7.0, upgrade to Apache Airflow version 2.7.0 or newer.
For Apache Airflow SMTP Provider versions prior to 1.3.0, upgrade to Apache Airflow SMTP Provider version 1.3.0 or newer.
For Apache Airflow IMAP Provider versions prior to 3.3.0, upgrade to Apache Airflow IMAP Provider version 3.3.0 or newer.
Fix
Improper Certificate Validation
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Airflow
Apache Airflow Imap Provider
Apache Airflow Ftp Provider
Openssl