Improper Certificate Validation Affecting apache-airflow package, versions [,2.7.0)


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.17% (56th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-PYTHON-APACHEAIRFLOW-5855820
  • published24 Aug 2023
  • disclosed23 Aug 2023
  • creditMartin Schobert

Introduced: 23 Aug 2023

CVE-2023-39441  (opens in a new tab)
CWE-295  (opens in a new tab)

How to fix?

Upgrade apache-airflow to version 2.7.0 or higher.

Overview

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Improper Certificate Validation. Due to the improper validation in the SSL context, an attacker could potentially intercept the client's communication in a MITM position. This vulnerability allows for the acceptance of any server's X.509 certificate leading to possible disclosure of mail server credentials or mail content.

Note:

This is only exploitable if the default SSL context is being used. The attacker will need to inject themselves within the logical network path between the target and the resource requested by the victim in order to read and/or modify network communications.

CVSS Scores

version 3.1