CVE-2018-20245 — Improper Certificate Validation in Apache Airflow

CWE-295 — Improper Certificate Validation5 documents4 sources

Severity

7.5HIGHNVD

EPSS

0.4%

top 41.88%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Airflow Apache Software Foundation Apache Airflow

Timeline

PublishedJan 23

Latest updateJan 25

Description

The LDAP auth backend (airflow.contrib.auth.backends.ldap_auth) prior to Apache Airflow 1.10.1 was misconfigured and contained improper checking of exceptions which disabled server certificate checking.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDapache/airflow< 1.10.1

▶CVEListV5apache_software_foundation/apache_airflowApache Airflow <= 1.10.0

🔴Vulnerability Details

OSV

Improper Certificate Validation in Apache Airflow↗2019-01-25

▶

GHSA

Improper Certificate Validation in Apache Airflow↗2019-01-25

▶

CVEList

CVE-2018-20245: The LDAP auth backend (airflow↗2019-01-23

▶

OSV

CVE-2018-20245: The LDAP auth backend (airflow↗2019-01-23

▶