'[oss-security] CVE-2024-25141: Apache Airflow Mongo Provider: Certificate validation isn't respected'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2024-25141: Apache Airflow Mongo Provider: Certificate validation isn't respected
From:       Elad Kalif <eladkal () apache ! org>
Date:       2024-02-20 19:31:59
Message-ID: 1bb350d2-56b0-4ee2-c925-d92bb64d9f44 () apache ! org
[Download RAW message or body]

Severity: low

Affected versions:

- Apache Airflow Mongo Provider 1.0.0 before 4.0.0

Description:

When ssl  was enabled for Mongo Hook, default settings included "allow_insecure" which caused \
that certificates were not validated. This was unexpected and undocumented. Users are \
recommended to upgrade to version 4.0.0, which fixes this issue.

Credit:

Noah Stapp (reporter)

References:

https://github.com/apache/airflow/pull/37214
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-25141

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic