Improper Certificate Validation Affecting apache-airflow package, versions [,2.7.0)
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-APACHEAIRFLOW-5855820
- published 24 Aug 2023
- disclosed 23 Aug 2023
- credit Martin Schobert
Introduced: 23 Aug 2023
CVE-2023-39441 Open this link in a new tabHow to fix?
Upgrade apache-airflow to version 2.7.0 or higher.
Overview
apache-airflow is a platform to programmatically author, schedule, and monitor workflows.
Affected versions of this package are vulnerable to Improper Certificate Validation. Due to the improper validation in the SSL context, an attacker could potentially intercept the client's communication in a MITM position. This vulnerability allows for the acceptance of any server's X.509 certificate leading to possible disclosure of mail server credentials or mail content.
Note:
This is only exploitable if the default SSL context is being used. The attacker will need to inject themselves within the logical network path between the target and the resource requested by the victim in order to read and/or modify network communications.