CVE-2023-39441

CVSS 3.1 Score 5.9 of 10 (medium)

Details

Published Aug 23, 2023
Updated: Aug 29, 2023
CWE ID 295

Summary

CVE-2023-39441: Affecting Apache Airflow SMTP Provider before 1.3.0, IMAP Provider before 3.3.0, and Apache Airflow before 2.7.0, this vulnerability allows an attacker in a MITM position to disclose mail server credentials or mail contents due to the lack of SSL certificate validation. The default SSL context failed to check a server's X.509 certificate, and instead accepted any certificate, increasing the risk of man-in-the-middle attacks. To mitigate this risk, users are advised to upgrade to Apache Airflow version 2.7.0 or newer, Apache Airflow IMAP Provider version 3.3.0 or newer, and Apache Airflow SMTP Provider version 1.3.0 or newer.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share

Affected Products

  • Apache Airflow

Affected Vendors

  • Apache Software Foundation