Received: by 2002:ab2:6203:0:b0:1f5:f2ab:c469 with SMTP id o3csp533393lqt;
        Fri, 19 Apr 2024 03:18:09 -0700 (PDT)
X-Forwarded-Encrypted: i=2; AJvYcCU0OndW464DQspEv0y282HkCU5n3LKikr78m202R7KWal0199Y3iNVTYxFivoWIm9jeQ30ZXZDJeeMetNRiAkwIBSEXCmYuyfO625Ucxg==
X-Google-Smtp-Source: AGHT+IHiA6+gD1JFUrQLUMINOszcoFqnoyqKNCjVUXcOT+dux2j3UW5lLbqlaC5Mz2KoCxbusiiC
X-Received: by 2002:a50:d703:0:b0:56f:e4a2:1640 with SMTP id t3-20020a50d703000000b0056fe4a21640mr1361289edi.21.1713521889697;
        Fri, 19 Apr 2024 03:18:09 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1713521889; cv=none;
        d=google.com; s=arc-20160816;
        b=KzdF63fP4gLf2TfIKUrIqmj8IZWaC12dGpVtWWL3/Smnqb68AMpc0uoL+RXvy1mg8e
         6L+52gmanImii6LePLO9vBjO4STyVdSVW8v3KKTD9XijTqkBYDGbyb08dPWi7PGxExK5
         FdEhPlVQc76fNbcanzLwANsom95J1jx+chyYCPPtXuEhZ3lG9VKs2KyxDAkZbF5DQhC/
         /VMxHvPYTFXq9sGwMP3qNAIa9Mj0RDZyGGaym1Ab03c0ig/rGn5Ls2JubXjQseZELkHA
         yMMUxVnE9DQj9CuH9l8LR+gyXUhFPILornmsrFGj/BCUBewaF6bV1dDK9z0ulYr92mlj
         NwEw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=subject:mime-version:date:content-transfer-encoding:message-id:to
         :from:delivered-to:delivered-to:reply-to:list-id:list-subscribe
         :list-unsubscribe:list-help:list-post:precedence:mailing-list;
        bh=KiAkT9sEZ/rFix7ar7pYC6vECBBw6q4i5P3F+0zyGLg=;
        fh=9jsPTyo6edd9xvAeG+KFFrRrXMmgB/RdwUKOrvy9dcA=;
        b=kF8o00Usx1Chfmq9HlEzTTRXWHG3ge009/19owDUPEWidMYlX4Z0jaoAlmRFWBonP3
         UPrBeeE2hAT1fd/Fa97f6qgQz8dNYQBnbzJgZGuX9yqfc35WMJ+dnqvUCBg1c7R7GNp2
         gKzR8gUc+so5dx+hKwtFQ8P40IIOlaR6P+m22+328Mhrc/9emCI7G/+SmrH6WwmodiwJ
         goysQAMxLEfO3m+kBDOl6SS4m1rM99TVJaZPa4gzivmxwSR5h3dv2vIrj+DeWMjKK+3x
         hphSxl2duCTG1btFFHH6n/phoPYQ5ve4eFAJ+teCv9I4GY2mDg4QrRirSZuSUuYlAMlq
         aY5w==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of oss-security-return-30055-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30055-linux.lists.archive=gmail.com@lists.openwall.com"
Return-Path: <oss-security-return-30055-linux.lists.archive=gmail.com@lists.openwall.com>
Received: from second.openwall.net (second.openwall.net. [193.110.157.125])
        by mx.google.com with SMTP id i22-20020aa7c716000000b00571db19a87asi26362edq.114.2024.04.19.03.18.09
        for <linux.lists.archive@gmail.com>;
        Fri, 19 Apr 2024 03:18:09 -0700 (PDT)
Received-SPF: pass (google.com: domain of oss-security-return-30055-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of oss-security-return-30055-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30055-linux.lists.archive=gmail.com@lists.openwall.com"
Received: (qmail 19879 invoked by uid 550); 19 Apr 2024 10:17:56 -0000
Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:oss-security@lists.openwall.com>
List-Help: <mailto:oss-security-help@lists.openwall.com>
List-Unsubscribe: <mailto:oss-security-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:oss-security-subscribe@lists.openwall.com>
List-ID: <oss-security.lists.openwall.com>
Reply-To: oss-security@lists.openwall.com
Delivered-To: mailing list oss-security@lists.openwall.com
Delivered-To: moderator for oss-security@lists.openwall.com
Received: (qmail 15852 invoked from network); 19 Apr 2024 10:16:22 -0000
Authentication-Results: apache.org; auth=none
Content-Type: text/plain; charset=utf-8
From: Elad Kalif <eladkal@apache.org>
To: oss-security@lists.openwall.com
Message-ID: <8d4a4f8a-373d-fff2-c82e-5805f44e3ae3@apache.org>
Content-Transfer-Encoding: quoted-printable
Date: Fri, 19 Apr 2024 10:08:58 +0000
MIME-Version: 1.0
Subject: [oss-security] CVE-2024-29733: Apache Airflow FTP Provider: FTP_TLS instance with
 unverified SSL context 

Severity: low

Affected versions:

- Apache Airflow FTP Provider before 3.7.0

Description:

Improper Certificate Validation vulnerability in Apache Airflow FTP =
Provider.

The FTP hook lacks complete certificate validation in FTP_TLS connections, =
which can potentially be leveraged. Implementing proper certificate =
validation by passing context=3Dssl.create_default_context() during FTP_TLS=
 instantiation is used as mitigation to validate the certificates properly.=


This issue affects Apache Airflow FTP Provider: before 3.7.0.

Users are recommended to upgrade to version 3.7.0, which fixes the issue.

Credit:

Eric Brown of Secure Sauce LLC (finder)

References:

https://github.com/apache/airflow/pull/38266
https://github.com/apache/airflow/blob/95e26118b828c364755f3a8c96870f3591b0=
1c31/airflow/providers/ftp/hooks/ftp.py#L280
https://docs.python.org/3/library/ssl.html#best-defaults
https://airflow.apache.org/
https://www.cve.org/CVERecord?id=3DCVE-2024-29733