[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2023-39441: Apache Airflow SMTP Provider, Apache Airflow IMAP Provider, Apache Ai
From:       Ephraim Anierobi <ephraimanierobi () apache ! org>
Date:       2023-08-23 10:33:16
Message-ID: 0227aa7c-d06f-93d7-34f2-931d922c0c53 () apache ! org
[Download RAW message or body]

Severity: moderate

Affected versions:

- Apache Airflow SMTP Provider before 1.30
- Apache Airflow IMAP Provider before 3.3.0
- Apache Airflow before 2.7.0

Description:

Apache Airflow SMTP Provider before 1.3.0, Apache Airflow IMAP Provider before 3.3.0, and  \
Apache Airflow before 2.7.0 are affected by the  Validation of OpenSSL Certificate \
vulnerability.

The default SSL context with SSL library did not check a server's X.509  certificate.   \
Instead, the code accepted any certificate, which could  result in the disclosure of mail \
server credentials or mail contents  when the client connects to an attacker in a MITM \
position.

Users are strongly advised to upgrade to Apache Airflow version 2.7.0 or newer, Apache Airflow \
IMAP Provider version 3.3.0 or newer, and Apache Airflow SMTP Provider version 1.3.0 or newer \
to mitigate the risk associated with this vulnerability

Credit:

Martin Schobert, Pentagrid AG (finder)

References:

https://github.com/apache/airflow/pull/33075
https://github.com/apache/airflow/pull/33108
https://github.com/apache/airflow/pull/33070
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-39441


[prev in list] [next in list] [prev in thread] [next in thread]