First published: Wed Aug 23 2023(Updated: )
Apache Airflow SMTP Provider before 1.3.0, Apache Airflow IMAP Provider before 3.3.0, and Apache Airflow before 2.7.0 are affected by the Validation of OpenSSL Certificate vulnerability. The default SSL context with SSL library did not check a server's X.509 certificate. Instead, the code accepted any certificate, which could result in the disclosure of mail server credentials or mail contents when the client connects to an attacker in a MITM position. Users are strongly advised to upgrade to Apache Airflow version 2.7.0 or newer, Apache Airflow IMAP Provider version 3.3.0 or newer, and Apache Airflow SMTP Provider version 1.3.0 or newer to mitigate the risk associated with this vulnerability
Credit: security@apache.org security@apache.org security@apache.org
Affected Software | Affected Version | How to fix |
---|---|---|
Apache Airflow | <2.7.0 | |
Apache Apache-airflow-providers-imap | <3.3.0 | |
Apache Apache-airflow-providers-smtp | <1.3.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-39441 is a vulnerability that affects Apache Airflow SMTP Provider before 1.3.0, Apache Airflow IMAP Provider before 3.3.0, and Apache Airflow before 2.7.0.
CVE-2023-39441 has a severity value of 5.9, which is considered medium.
CVE-2023-39441 affects Apache Airflow SMTP Provider before 1.3.0, Apache Airflow IMAP Provider before 3.3.0, and Apache Airflow before 2.7.0.
To fix CVE-2023-39441, you should update Apache Airflow SMTP Provider to version 1.3.0 or later, Apache Airflow IMAP Provider to version 3.3.0 or later, and Apache Airflow to version 2.7.0 or later.
Yes, you can find more information about CVE-2023-39441 in the references provided: http://www.openwall.com/lists/oss-security/2023/08/23/2, https://github.com/apache/airflow/pull/33070, and https://github.com/apache/airflow/pull/33075.