=====================================================================

                               CERT-Renater

                     Note d'Information No. 2023/VULN294

_____________________________________________________________________

DATE                : 05/09/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Airflow SMTP Provider
                                versions prior to 1.30,
                 Apache Airflow IMAP Provider versions prior to 3.3.0,
                         Apache Airflow versions prior to 2.7.0.

=====================================================================
https://lists.apache.org/thread/xzp4wgjg2b1o6ylk2595df8bstlbo1lb
_____________________________________________________________________

CVE-2023-39441: Apache Airflow SMTP Provider, Apache Airflow IMAP
Provider, Apache Airflow: SMTP/IMAP client components allowed MITM
due to missing Certificate Validation

Severity: moderate

Affected versions:

- Apache Airflow SMTP Provider before 1.30
- Apache Airflow IMAP Provider before 3.3.0
- Apache Airflow before 2.7.0

Description:

Apache Airflow SMTP Provider before 1.3.0, Apache Airflow IMAP Provider
before 3.3.0, and Apache Airflow before 2.7.0 are affected by the
Validation of OpenSSL Certificate vulnerability.

The default SSL context with SSL library did not check a server's
X.509 certificate.  Instead, the code accepted any certificate,
which could result in the disclosure of mail server credentials
or mail contents when the client connects to an attacker in a
MITM position.

Users are strongly advised to upgrade to Apache Airflow version
2.7.0 or newer, Apache Airflow IMAP Provider version 3.3.0 or
newer, and Apache Airflow SMTP Provider version 1.3.0 or newer
to mitigate the risk associated with this vulnerability


Credit:

Martin Schobert, Pentagrid AG (finder)

References:

https://github.com/apache/airflow/pull/33075
https://github.com/apache/airflow/pull/33108
https://github.com/apache/airflow/pull/33070
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-39441


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================