Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/apache/airflow: CVE-2024-29733 #2742

Closed
GoVulnBot opened this issue Apr 21, 2024 · 1 comment
Closed

x/vulndb: potential Go vuln in github.com/apache/airflow: CVE-2024-29733 #2742

GoVulnBot opened this issue Apr 21, 2024 · 1 comment
Assignees
@maceonthompson
Labels
excluded: NOT_GO_CODE This vulnerability does not refer to a Go module.

Comments

@GoVulnBot
Copy link

CVE-2024-29733 references github.com/apache/airflow, which may be a Go module.

Description:
Improper Certificate Validation vulnerability in Apache Airflow FTP Provider.

The FTP hook lacks complete certificate validation in FTP_TLS connections, which can potentially be leveraged. Implementing proper certificate validation by passing context=ssl.create_default_context() during FTP_TLS instantiation is used as mitigation to validate the certificates properly.

This issue affects Apache Airflow FTP Provider: before 3.7.0.

Users are recommended to upgrade to version 3.7.0, which fixes the issue.

References:

Cross references:

See doc/triage.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/apache/airflow
      vulnerable_at: 1.8.2
      packages:
        - package: Apache Airflow FTP Provider
summary: CVE-2024-29733 in github.com/apache/airflow
cves:
    - CVE-2024-29733
references:
    - fix: https://github.com/apache/airflow/pull/38266
    - web: https://github.com/apache/airflow/blob/95e26118b828c364755f3a8c96870f3591b01c31/airflow/providers/ftp/hooks/ftp.py#L280
    - web: https://docs.python.org/3/library/ssl.html#best-defaults
    - web: https://lists.apache.org/thread/265t5zbmtjs6h9fkw52wtp03nsbplky2
source:
    id: CVE-2024-29733
@maceonthompson maceonthompson self-assigned this Apr 22, 2024
@maceonthompson maceonthompson added the excluded: NOT_GO_CODE This vulnerability does not refer to a Go module. label Apr 22, 2024
@tatianab tatianab added possibly not Go and removed excluded: NOT_GO_CODE This vulnerability does not refer to a Go module. labels May 14, 2024
@tatianab tatianab added excluded: NOT_GO_CODE This vulnerability does not refer to a Go module. and removed possibly not Go labels Jun 5, 2024
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/590855 mentions this issue: data/excluded: add 20 excluded reports

@GoVulnBot GoVulnBot mentioned this issue Jun 14, 2024
Closed
This was referenced Jul 17, 2024
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@maceonthompson maceonthompson

Labels
excluded: NOT_GO_CODE This vulnerability does not refer to a Go module.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@tatianab @gopherbot @maceonthompson @GoVulnBot