CVE-2023-39441

Apache Airflow SMTP Provider before 1.3.0, Apache Airflow IMAP Provider before 3.3.0, and Apache Airflow before 2.7.0 are affected by the Validation of OpenSSL Certificate vulnerability. The default SSL context with SSL library did not check a server's X.509 certificate.  Instead, the code accepted any certificate, which could result in the disclosure of mail server credentials or mail contents when the client connects to an attacker in a MITM position. Users are strongly advised to upgrade to Apache Airflow version 2.7.0 or newer, Apache Airflow IMAP Provider version 3.3.0 or newer, and Apache Airflow SMTP Provider version 1.3.0 or newer to mitigate the risk associated with this vulnerability
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:apache-airflow-providers-imap:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:apache-airflow-providers-smtp:*:*:*:*:*:*:*:*

History

29 Aug 2023, 15:48

Type Values Removed Values Added
First Time Apache airflow
Apache
Apache apache-airflow-providers-smtp
Apache apache-airflow-providers-imap
CPE cpe:2.3:a:apache:apache-airflow-providers-imap:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:airflow:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:apache-airflow-providers-smtp:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 5.9
References (MISC) http://www.openwall.com/lists/oss-security/2023/08/23/2 - (MISC) http://www.openwall.com/lists/oss-security/2023/08/23/2 - Mailing List, Patch, Third Party Advisory
References (MISC) https://lists.apache.org/thread/xzp4wgjg2b1o6ylk2595df8bstlbo1lb - (MISC) https://lists.apache.org/thread/xzp4wgjg2b1o6ylk2595df8bstlbo1lb - Mailing List, Patch, Vendor Advisory
References (MISC) https://github.com/apache/airflow/pull/33108 - (MISC) https://github.com/apache/airflow/pull/33108 - Patch
References (MISC) https://github.com/apache/airflow/pull/33070 - (MISC) https://github.com/apache/airflow/pull/33070 - Patch
References (MISC) https://github.com/apache/airflow/pull/33075 - (MISC) https://github.com/apache/airflow/pull/33075 - Patch

23 Aug 2023, 21:15

Type Values Removed Values Added
References
  • (MISC) http://www.openwall.com/lists/oss-security/2023/08/23/2 -

23 Aug 2023, 16:33

Type Values Removed Values Added
New CVE

Information

Published : 2023-08-23 16:15

Updated : 2024-02-28 20:33


NVD link : CVE-2023-39441

Mitre link : CVE-2023-39441

CVE.ORG link : CVE-2023-39441


JSON object : View

Products Affected

apache

  • airflow
  • apache-airflow-providers-imap
  • apache-airflow-providers-smtp
CWE
CWE-295

Improper Certificate Validation