CVE-2023-39441

Apache Airflow SMTP Provider, Apache Airflow IMAP Provider, Apache Airflow: SMTP/IMAP client components allowed MITM due to missing Certificate Validation

Severity Score

5.9

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

Apache Airflow SMTP Provider before 1.3.0, Apache Airflow IMAP Provider before 3.3.0, and Apache Airflow before 2.7.0 are affected by the Validation of OpenSSL Certificate vulnerability.

The default SSL context with SSL library did not check a server's X.509 certificate. Instead, the code accepted any certificate, which could result in the disclosure of mail server credentials or mail contents when the client connects to an attacker in a MITM position.

Users are strongly advised to upgrade to Apache Airflow version 2.7.0 or newer, Apache Airflow IMAP Provider version 3.3.0 or newer, and Apache Airflow SMTP Provider version 1.3.0 or newer to mitigate the risk associated with this vulnerability

Apache Airflow SMTP Provider antes de 1.3.0, Apache Airflow IMAP Provider antes de 3.3.0, y Apache Airflow antes de 2.7.0 están afectados por la vulnerabilidad Validation of OpenSSL Certificate. El contexto SSL por defecto con la librería SSL no comprobaba el certificado X.509 de un servidor. En su lugar, el código aceptaba cualquier certificado, lo que podía dar lugar a la revelación de credenciales del servidor de correo o del contenido del correo cuando el cliente se conectaba a un atacante en posición MITM. Se recomienda encarecidamente a los usuarios que actualicen a Apache Airflow versión 2.7.0 o posterior, Apache Airflow IMAP Provider versión 3.3.0 o posterior y Apache Airflow SMTP Provider versión 1.3.0 o posterior para mitigar el riesgo asociado a esta vulnerabilidad.

*Credits: Martin Schobert, Pentagrid AG

CVSS Scores

NISTv3.1 5.9

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2023-08-02 CVE Reserved
2023-08-23 CVE Published
2024-09-24 EPSS Updated
2024-09-27 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-295: Improper Certificate Validation

CAPEC

References (5)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC
http://www.openwall.com/lists/oss-security/2023/08/23/2	2023-08-29
https://github.com/apache/airflow/pull/33070	2023-08-29
https://github.com/apache/airflow/pull/33075	2023-08-29
https://github.com/apache/airflow/pull/33108	2023-08-29
https://lists.apache.org/thread/xzp4wgjg2b1o6ylk2595df8bstlbo1lb	2023-08-29

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Search vendor "Apache"		Airflow Search vendor "Apache" for product "Airflow"				< 2.7.0 Search vendor "Apache" for product "Airflow" and version " < 2.7.0"		-		Affected
Apache Search vendor "Apache"		Apache-airflow-providers-imap Search vendor "Apache" for product "Apache-airflow-providers-imap"				< 3.3.0 Search vendor "Apache" for product "Apache-airflow-providers-imap" and version " < 3.3.0"		-		Affected
Apache Search vendor "Apache"		Apache-airflow-providers-smtp Search vendor "Apache" for product "Apache-airflow-providers-smtp"				< 1.3.0 Search vendor "Apache" for product "Apache-airflow-providers-smtp" and version " < 1.3.0"		-		Affected