[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2023-39441: Apache Airflow SMTP Provider, Apache Airflow IMAP Provider, Apache Ai
From: Ephraim Anierobi <ephraimanierobi () apache ! org>
Date: 2023-08-23 10:33:16
Message-ID: 0227aa7c-d06f-93d7-34f2-931d922c0c53 () apache ! org
[Download RAW message or body]
Severity: moderate
Affected versions:
- Apache Airflow SMTP Provider before 1.30
- Apache Airflow IMAP Provider before 3.3.0
- Apache Airflow before 2.7.0
Description:
Apache Airflow SMTP Provider before 1.3.0, Apache Airflow IMAP Provider before 3.3.0, and \
Apache Airflow before 2.7.0 are affected by the Validation of OpenSSL Certificate \
vulnerability.
The default SSL context with SSL library did not check a server's X.509 certificate. \
Instead, the code accepted any certificate, which could result in the disclosure of mail \
server credentials or mail contents when the client connects to an attacker in a MITM \
position.
Users are strongly advised to upgrade to Apache Airflow version 2.7.0 or newer, Apache Airflow \
IMAP Provider version 3.3.0 or newer, and Apache Airflow SMTP Provider version 1.3.0 or newer \
to mitigate the risk associated with this vulnerability
Credit:
Martin Schobert, Pentagrid AG (finder)
References:
https://github.com/apache/airflow/pull/33075
https://github.com/apache/airflow/pull/33108
https://github.com/apache/airflow/pull/33070
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-39441
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic