Veracode Vulnerability DatabaseVERACODE:42961Improper Certificate Validation
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
0.002 Low
EPSS
Percentile
62.1%
apache_airflow is vulnerable to Improper Certificate Validation. The software does not properly validate SMTP certificates, which could allow an attacker to present a malicious certificate to the client which could be used to impersonate a legitimate mail server, allowing the attacker to steal mail server credentials or mail contents. To exploit this vulnerability, the attacker would need to be able to intercept the communication between the client and the mail server.
References
www.openwall.com/lists/oss-security/2023/08/23/2
github.com/advisories/GHSA-5f35-pq34-c87q
github.com/apache/airflow/commit/120efc186556b1e9498f90ad436c74e5f4e138e9
github.com/apache/airflow/commit/52ca7bfc988f4c9b608f544bc3e9524fd6564639
github.com/apache/airflow/commit/e20325db38fdfdd9db423a345b13d18aab6fe578
github.com/apache/airflow/pull/33070
github.com/apache/airflow/pull/33075
github.com/apache/airflow/pull/33108
lists.apache.org/thread/xzp4wgjg2b1o6ylk2595df8bstlbo1lb
Related
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
0.002 Low
EPSS
Percentile
62.1%