5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
0.002 Low
EPSS
Percentile
62.1%
apache_airflow is vulnerable to Improper Certificate Validation. The software does not properly validate SMTP certificates, which could allow an attacker to present a malicious certificate to the client which could be used to impersonate a legitimate mail server, allowing the attacker to steal mail server credentials or mail contents. To exploit this vulnerability, the attacker would need to be able to intercept the communication between the client and the mail server.
www.openwall.com/lists/oss-security/2023/08/23/2
github.com/advisories/GHSA-5f35-pq34-c87q
github.com/apache/airflow/commit/120efc186556b1e9498f90ad436c74e5f4e138e9
github.com/apache/airflow/commit/52ca7bfc988f4c9b608f544bc3e9524fd6564639
github.com/apache/airflow/commit/e20325db38fdfdd9db423a345b13d18aab6fe578
github.com/apache/airflow/pull/33070
github.com/apache/airflow/pull/33075
github.com/apache/airflow/pull/33108
lists.apache.org/thread/xzp4wgjg2b1o6ylk2595df8bstlbo1lb