oss-security - CVE-2024-29733: Apache Airflow FTP Provider: FTP

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [day] [month] [year] [list]

Date: Fri, 19 Apr 2024 10:08:58 +0000
From: Elad Kalif <eladkal@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2024-29733: Apache Airflow FTP Provider: FTP_TLS instance with
 unverified SSL context 

Severity: low

Affected versions:

- Apache Airflow FTP Provider before 3.7.0

Description:

Improper Certificate Validation vulnerability in Apache Airflow FTP Provider.

The FTP hook lacks complete certificate validation in FTP_TLS connections, which can potentially be leveraged. Implementing proper certificate validation by passing context=ssl.create_default_context() during FTP_TLS instantiation is used as mitigation to validate the certificates properly.

This issue affects Apache Airflow FTP Provider: before 3.7.0.

Users are recommended to upgrade to version 3.7.0, which fixes the issue.

Credit:

Eric Brown of Secure Sauce LLC (finder)

References:

https://github.com/apache/airflow/pull/38266
https://github.com/apache/airflow/blob/95e26118b828c364755f3a8c96870f3591b01c31/airflow/providers/ftp/hooks/ftp.py#L280
https://docs.python.org/3/library/ssl.html#best-defaults
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-29733

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.