CVE-2023-39441 — MEDIUM (5.9)

Q: How severe is CVE-2023-39441?

CVE-2023-39441 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2023-39441?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Airflow, Apache Apache-Airflow-Providers-Imap, Apache Apache-Airflow-Providers-Smtp.

Vulnerability Description

Apache Airflow SMTP Provider before 1.3.0, Apache Airflow IMAP Provider before 3.3.0, and Apache Airflow before 2.7.0 are affected by the Validation of OpenSSL Certificate vulnerability. The default SSL context with SSL library did not check a server's X.509 certificate. Instead, the code accepted any certificate, which could result in the disclosure of mail server credentials or mail contents when the client connects to an attacker in a MITM position. Users are strongly advised to upgrade to Apache Airflow version 2.7.0 or newer, Apache Airflow IMAP Provider version 3.3.0 or newer, and Apache Airflow SMTP Provider version 1.3.0 or newer to mitigate the risk associated with this vulnerability

CVSS Score

5.9

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Apache	Airflow	< 2.7.0
Apache	Apache-Airflow-Providers-Imap	< 3.3.0
Apache	Apache-Airflow-Providers-Smtp	< 1.3.0

Related Weaknesses (CWE)

CWE-295

References

http://www.openwall.com/lists/oss-security/2023/08/23/2Mailing ListPatchThird Party Advisory
https://github.com/apache/airflow/pull/33070Patch
https://github.com/apache/airflow/pull/33075Patch
https://github.com/apache/airflow/pull/33108Patch
https://lists.apache.org/thread/xzp4wgjg2b1o6ylk2595df8bstlbo1lbMailing ListPatchVendor Advisory
http://www.openwall.com/lists/oss-security/2023/08/23/2Mailing ListPatchThird Party Advisory
https://github.com/apache/airflow/pull/33070Patch
https://github.com/apache/airflow/pull/33075Patch
https://github.com/apache/airflow/pull/33108Patch
https://lists.apache.org/thread/xzp4wgjg2b1o6ylk2595df8bstlbo1lbMailing ListPatchVendor Advisory

FAQ

What is CVE-2023-39441?

CVE-2023-39441 is a vulnerability with a CVSS score of 5.9 (MEDIUM). Apache Airflow SMTP Provider before 1.3.0, Apache Airflow IMAP Provider before 3.3.0, and Apache Airflow before 2.7.0 are affected by the Validation of OpenSSL Certificate vulnerability. The default ...

How severe is CVE-2023-39441?

CVE-2023-39441 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-39441?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Airflow, Apache Apache-Airflow-Providers-Imap, Apache Apache-Airflow-Providers-Smtp.