Improper Certificate Validation Affecting apache-airflow package, versions [,2.7.0)


Severity

0.0
medium
0
10

    Threat Intelligence

    EPSS
    0.24% (63rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PYTHON-APACHEAIRFLOW-5855820
  • published 24 Aug 2023
  • disclosed 23 Aug 2023
  • credit Martin Schobert

How to fix?

Upgrade apache-airflow to version 2.7.0 or higher.

Overview

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Improper Certificate Validation. Due to the improper validation in the SSL context, an attacker could potentially intercept the client's communication in a MITM position. This vulnerability allows for the acceptance of any server's X.509 certificate leading to possible disclosure of mail server credentials or mail content.

Note:

This is only exploitable if the default SSL context is being used. The attacker will need to inject themselves within the logical network path between the target and the resource requested by the victim in order to read and/or modify network communications.

CVSS Scores

version 3.1
Expand this section

Snyk

5.9 medium
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    High
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    High
  • Integrity (I)
    None
  • Availability (A)
    None
Expand this section

NVD

5.9 medium