Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/vulndb: potential Go vuln in github.com/apache/airflow: CVE-2024-29733 #2742

Closed
GoVulnBot opened this issue Apr 21, 2024 · 1 comment
Assignees
Labels
excluded: NOT_GO_CODE This vulnerability does not refer to a Go module.

Comments

@GoVulnBot
Copy link

CVE-2024-29733 references github.com/apache/airflow, which may be a Go module.

Description:
Improper Certificate Validation vulnerability in Apache Airflow FTP Provider.

The FTP hook lacks complete certificate validation in FTP_TLS connections, which can potentially be leveraged. Implementing proper certificate validation by passing context=ssl.create_default_context() during FTP_TLS instantiation is used as mitigation to validate the certificates properly.

This issue affects Apache Airflow FTP Provider: before 3.7.0.

Users are recommended to upgrade to version 3.7.0, which fixes the issue.

References:

Cross references:

See doc/triage.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/apache/airflow
      vulnerable_at: 1.8.2
      packages:
        - package: Apache Airflow FTP Provider
summary: CVE-2024-29733 in github.com/apache/airflow
cves:
    - CVE-2024-29733
references:
    - fix: https://github.com/apache/airflow/pull/38266
    - web: https://github.com/apache/airflow/blob/95e26118b828c364755f3a8c96870f3591b01c31/airflow/providers/ftp/hooks/ftp.py#L280
    - web: https://docs.python.org/3/library/ssl.html#best-defaults
    - web: https://lists.apache.org/thread/265t5zbmtjs6h9fkw52wtp03nsbplky2
source:
    id: CVE-2024-29733

@maceonthompson maceonthompson self-assigned this Apr 22, 2024
@maceonthompson maceonthompson added the excluded: NOT_GO_CODE This vulnerability does not refer to a Go module. label Apr 22, 2024
@tatianab tatianab added possibly not Go and removed excluded: NOT_GO_CODE This vulnerability does not refer to a Go module. labels May 14, 2024
@tatianab tatianab added excluded: NOT_GO_CODE This vulnerability does not refer to a Go module. and removed possibly not Go labels Jun 5, 2024
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/590855 mentions this issue: data/excluded: add 20 excluded reports

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
excluded: NOT_GO_CODE This vulnerability does not refer to a Go module.
Projects
None yet
Development

No branches or pull requests

4 participants