Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS01ZjM1LXBxMzQtYzg3cc4AA1eK
Apache Airflow missing Certificate Validation
Apache Airflow SMTP Provider before 1.3.0, Apache Airflow IMAP Provider before 3.3.0, and Apache Airflow before 2.7.0 are affected by the Validation of OpenSSL Certificate vulnerability.
The default SSL context with SSL library did not check a server's X.509 certificate. Instead, the code accepted any certificate, which could result in the disclosure of mail server credentials or mail contents when the client connects to an attacker in a MITM position.
Users are strongly advised to upgrade to Apache Airflow version 2.7.0 or newer, Apache Airflow IMAP Provider version 3.3.0 or newer, and Apache Airflow SMTP Provider version 1.3.0 or newer to mitigate the risk associated with this vulnerability
Permalink: https://github.com/advisories/GHSA-5f35-pq34-c87qJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01ZjM1LXBxMzQtYzg3cc4AA1eK
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 9 months ago
Updated: 2 months ago
CVSS Score: 5.9
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-5f35-pq34-c87q, CVE-2023-39441
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-39441
- https://github.com/apache/airflow/pull/33070
- https://github.com/apache/airflow/pull/33075
- https://github.com/apache/airflow/pull/33108
- https://lists.apache.org/thread/xzp4wgjg2b1o6ylk2595df8bstlbo1lb
- http://www.openwall.com/lists/oss-security/2023/08/23/2
- https://github.com/apache/airflow/commit/38fc9cd823feafd8ec61d5d5c7eddb9e9162f755
- https://github.com/apache/airflow/commit/3bd8f020e8b7bdeb7f618bdbdfb3557f117b29d3
- https://github.com/apache/airflow/commit/dbacacbd4d476da757de148a4e747924c34fd7fe
- https://github.com/advisories/GHSA-5f35-pq34-c87q
Blast Radius: 18.8
Affected Packages
pypi:apache-airflow
Dependent packages: 265Dependent repositories: 1,554
Downloads: 23,800,308 last month
Affected Version Ranges: < 2.7.0
Fixed in: 2.7.0
All affected versions: 1.8.1, 1.8.2, 1.9.0, 1.10.0, 1.10.1, 1.10.2, 1.10.3, 1.10.4, 1.10.5, 1.10.6, 1.10.7, 1.10.8, 1.10.9, 1.10.10, 1.10.11, 1.10.12, 1.10.13, 1.10.14, 1.10.15, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.6.0, 2.6.1, 2.6.2, 2.6.3
All unaffected versions: 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.9.0
pypi:apache-airflow-providers-imap
Dependent packages: 7Dependent repositories: 363
Downloads: 3,965,101 last month
Affected Version Ranges: < 3.3.0
Fixed in: 3.3.0
All affected versions: 1.0.0, 1.0.1, 2.0.0, 2.0.1, 2.1.0, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 3.0.0, 3.1.0, 3.1.1, 3.2.0, 3.2.1, 3.2.2
All unaffected versions: 3.3.0, 3.3.1, 3.3.2, 3.4.0, 3.5.0
pypi:apache-airflow-providers-smtp
Dependent packages: 3Dependent repositories: 0
Downloads: 3,146,531 last month
Affected Version Ranges: < 1.3.0
Fixed in: 1.3.0
All affected versions: 1.0.0, 1.0.1, 1.1.0, 1.2.0
All unaffected versions: 1.3.0, 1.3.1, 1.3.2, 1.4.0, 1.4.1, 1.5.0, 1.6.0, 1.6.1