Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2023-39441

Good to know:

icon
icon

Date: August 23, 2023

Apache Airflow SMTP Provider before 1.3.0, Apache Airflow IMAP Provider before 3.3.0, and Apache Airflow before 2.7.0 are affected by the Validation of OpenSSL Certificate vulnerability. The default SSL context with SSL library did not check a server's X.509 certificate.  Instead, the code accepted any certificate, which could result in the disclosure of mail server credentials or mail contents when the client connects to an attacker in a MITM position. Users are strongly advised to upgrade to Apache Airflow version 2.7.0 or newer, Apache Airflow IMAP Provider version 3.3.0 or newer, and Apache Airflow SMTP Provider version 1.3.0 or newer to mitigate the risk associated with this vulnerability

Language: Python

Severity Score

Related Resources (7)

http://www.openwall.com/lists/oss-security/2023/08/23/2
https://github.com/apache/airflow/pull/33075
https://lists.apache.org/thread/xzp4wgjg2b1o6ylk2595df8bstlbo1lb
https://nvd.nist.gov/vuln/detail/CVE-2023-39441
https://github.com/apache/airflow/pull/33108
https://github.com/apache/airflow/pull/33070
https://www.mend.io/vulnerability-database/CVE-2023-39441

Severity Score

Weakness Type (CWE)

Improper Certificate Validation

CWE-295

Top Fix

icon

Upgrade Version

Upgrade to version apache-airflow - 2.7.0, apache-airflow-providers-smtp - 1.3.0, apache-airflow-providers-imap - 3.3.0

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): HIGH
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): NONE
Availability (A): NONE

Do you need more information?

Contact Us