Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-5f35-pq34-c87q

GitHub Security Advisory

Apache Airflow missing Certificate Validation

✓ GitHub Reviewed MODERATE Has CVE
View on GitHub

Advisory Details

Apache Airflow SMTP Provider before 1.3.0, Apache Airflow IMAP Provider before 3.3.0, and Apache Airflow before 2.7.0 are affected by the Validation of OpenSSL Certificate vulnerability.

The default SSL context with SSL library did not check a server's X.509 certificate.  Instead, the code accepted any certificate, which could result in the disclosure of mail server credentials or mail contents when the client connects to an attacker in a MITM position.

Users are strongly advised to upgrade to Apache Airflow version 2.7.0 or newer, Apache Airflow IMAP Provider version 3.3.0 or newer, and Apache Airflow SMTP Provider version 1.3.0 or newer to mitigate the risk associated with this vulnerability

Affected Packages

PyPI apache-airflow-providers-smtp
Affected versions: 0 (fixed in 1.3.0)
PyPI apache-airflow-providers-imap
Affected versions: 0 (fixed in 3.3.0)
PyPI apache-airflow
Affected versions: 0 (fixed in 2.7.0)

Related CVEs

CVE-2023-39441

Key Information

GHSA ID
GHSA-5f35-pq34-c87q
Published
August 23, 2023 6:30 PM
Last Modified
March 6, 2024 11:29 PM
CVSS Score
5.0 /10
Primary Ecosystem
PyPI
Primary Package
apache-airflow-providers-smtp
GitHub Reviewed
✓ Yes

Dataset

Last updated: November 23, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.