Vulnerability	Vulnerable Version
C Key Exchange without Entity Authentication apache-airflow-providers-google is a Provider for Apache Airflow. Implements apache-airflow-providers-google package Affected versions of this package are vulnerable to Key Exchange without Entity Authentication due to SSH host key verification being disabled by default in the `ComputeEngineSSHHook` process. An attacker can intercept or modify SSH sessions by performing a man-in-the-middle attack between the Airflow worker and the Compute Engine VM. **Note: The fixed code still defaults to `"auto_add"`, preserving the historical behavior of this hook; users are recommended to to review the settings accordingly. How to fix Key Exchange without Entity Authentication? Upgrade `apache-airflow-providers-google` to version 22.0.0rc1 or higher.	[,22.0.0rc1)

Key Exchange without Entity Authentication

apache-airflow-providers-google is a Provider for Apache Airflow. Implements apache-airflow-providers-google package

Affected versions of this package are vulnerable to Key Exchange without Entity Authentication due to SSH host key verification being disabled by default in the ComputeEngineSSHHook process. An attacker can intercept or modify SSH sessions by performing a man-in-the-middle attack between the Airflow worker and the Compute Engine VM.

**Note: The fixed code still defaults to "auto_add", preserving the historical behavior of this hook; users are recommended to to review the settings accordingly.

How to fix Key Exchange without Entity Authentication?

Upgrade apache-airflow-providers-google to version 22.0.0rc1 or higher.

[,22.0.0rc1)

Go back to all versions of this package