Mongo Hook Fixes Unexpected SSL Validation Issue
CVE-2024-25141

9.1CRITICAL

Key Information:

Vendor: Apache
Status: Apache Airflow Mongo Provider
Vendor: CVE Published:; 20 February 2024

Summary

A security vulnerability has been identified in Apache Airflow's Mongo Hook when SSL is enabled. The default settings included 'allow_insecure', which unintentionally permitted the acceptance of unvalidated SSL certificates. This configuration oversight was not documented, exposing users to potential security risks. It is strongly advised that users upgrade to version 4.0.0, which rectifies this issue by enforcing proper SSL certificate validation to enhance security.

Affected Version(s)

Apache Airflow Mongo Provider 1.0.0 < 4.0.0

References

https://github.com/apache/airflow/pull/37214

patch

https://lists.apache.org/thread/sqgbfqngjmn45ommmrgj7hvs7...

vendor-advisory

http://www.openwall.com/lists/oss-security/2024/02/20/5

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 20, 2024
Vulnerability Reserved
Feb 6, 2024

Credit

Noah Stapp