GHSA-3gg8-mc87-cq3h

Suggest an improvement
Source
https://github.com/advisories/GHSA-3gg8-mc87-cq3h
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-3gg8-mc87-cq3h/GHSA-3gg8-mc87-cq3h.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-3gg8-mc87-cq3h
Aliases
Published
2024-04-21T18:30:36Z
Modified
2024-07-03T20:45:48.455257Z
Severity
  • 2.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Improper Certificate Validation vulnerability in Apache Airflow FTP Provider
Details

Improper Certificate Validation vulnerability in Apache Airflow FTP Provider.

The FTP hook lacks complete certificate validation in FTPTLS connections, which can potentially be leveraged. Implementing proper certificate validation by passing context=ssl.createdefaultcontext() during FTPTLS instantiation is used as mitigation to validate the certificates properly.

This issue affects Apache Airflow FTP Provider: before 3.7.0.

Users are recommended to upgrade to version 3.7.0, which fixes the issue.

Database specific 
{
    "nvd_published_at": "2024-04-21T18:15:45Z",
    "cwe_ids": [
        "CWE-295"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-24T19:52:02Z"
}
References

Affected packages

PyPI / apache-airflow-providers-ftp

Package

Name
apache-airflow-providers-ftp
View open source insights on deps.dev
Purl
pkg:pypi/apache-airflow-providers-ftp

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.7.0

Affected versions

1.*

1.0.0b1
1.0.0b2
1.0.0rc1
1.0.0
1.0.1rc1
1.0.1
1.1.0rc1
1.1.0

2.*

2.0.0rc1
2.0.0rc2
2.0.0
2.0.1rc1
2.0.1
2.1.0rc1
2.1.0
2.1.1rc1
2.1.1
2.1.2rc1
2.1.2

3.*

3.0.0rc1
3.0.0rc2
3.0.0
3.1.0rc1
3.1.0
3.2.0rc1
3.2.0
3.3.0rc1
3.3.0rc2
3.3.0
3.3.1rc1
3.3.1
3.4.0rc1
3.4.0rc2
3.4.0
3.4.1rc1
3.4.1
3.4.2rc1
3.4.2
3.5.0rc1
3.5.0
3.5.1rc1
3.5.1
3.5.2rc1
3.5.2
3.6.0rc1
3.6.0
3.6.1rc1
3.6.1
3.7.0rc1