GHSA-3gg8-mc87-cq3h
- Source
- https://github.com/advisories/GHSA-3gg8-mc87-cq3h
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-3gg8-mc87-cq3h/GHSA-3gg8-mc87-cq3h.json
- Aliases
- Published
- 2024-04-21T18:30:36Z
- Modified
- 2024-05-02T19:16:30.581815Z
- Details
-
Improper Certificate Validation vulnerability in Apache Airflow FTP Provider.
The FTP hook lacks complete certificate validation in FTPTLS connections, which can potentially be leveraged. Implementing proper certificate validation by passing context=ssl.createdefaultcontext() during FTPTLS instantiation is used as mitigation to validate the certificates properly.
This issue affects Apache Airflow FTP Provider: before 3.7.0.
Users are recommended to upgrade to version 3.7.0, which fixes the issue.
- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2024-29733
- https://github.com/apache/airflow/pull/38266
- https://docs.python.org/3/library/ssl.html#best-defaults
- https://github.com/apache/airflow
- https://github.com/apache/airflow/blob/95e26118b828c364755f3a8c96870f3591b01c31/airflow/providers/ftp/hooks/ftp.py#L280
- https://lists.apache.org/thread/265t5zbmtjs6h9fkw52wtp03nsbplky2
- http://www.openwall.com/lists/oss-security/2024/04/19/3
Affected packages
PyPI / apache-airflow-providers-ftp
Package
Affected versions
1.*
1.0.0b1
1.0.0b2
1.0.0rc1
1.0.0
1.0.1rc1
1.0.1
1.1.0rc1
1.1.0
2.*
2.0.0rc1
2.0.0rc2
2.0.0
2.0.1rc1
2.0.1
2.1.0rc1
2.1.0
2.1.1rc1
2.1.1
2.1.2rc1
2.1.2
3.*
3.0.0rc1
3.0.0rc2
3.0.0
3.1.0rc1
3.1.0
3.2.0rc1
3.2.0
3.3.0rc1
3.3.0rc2
3.3.0
3.3.1rc1
3.3.1
3.4.0rc1
3.4.0rc2
3.4.0
3.4.1rc1
3.4.1
3.4.2rc1
3.4.2
3.5.0rc1
3.5.0
3.5.1rc1
3.5.1
3.5.2rc1
3.5.2
3.6.0rc1
3.6.0
3.6.1rc1
3.6.1
3.7.0rc1