pypi/apache-airflow-providers-ftp/CVE-2024-29733.yml

+---
+identifier: "CVE-2024-29733"
+identifiers:
+- "CVE-2024-29733"
+- "GHSA-3gg8-mc87-cq3h"
+package_slug: "pypi/apache-airflow-providers-ftp"
+title: "Improper Certificate Validation vulnerability in Apache Airflow FTP Provider"
+description: "Improper Certificate Validation vulnerability in Apache Airflow FTP
+  Provider.\n\nThe FTP hook lacks complete certificate validation in FTP_TLS connections,
+  which can potentially be leveraged. Implementing proper certificate validation by
+  passing context=ssl.create_default_context() during FTP_TLS instantiation is used
+  as mitigation to validate the certificates properly.\n\nThis issue affects Apache
+  Airflow FTP Provider: before 3.7.0.\n\nUsers are recommended to upgrade to version
+  3.7.0, which fixes the issue."
+date: "2024-04-24"
+pubdate: "2024-04-21"
+affected_range: "<3.7.0"
+fixed_versions:
+- "3.7.0"
+affected_versions: "All versions before 3.7.0"
+not_impacted: "All versions starting from 3.7.0"
+solution: "Upgrade to version 3.7.0 or above."
+urls:
+- "https://nvd.nist.gov/vuln/detail/CVE-2024-29733"
+- "https://github.com/advisories/GHSA-3gg8-mc87-cq3h"
+- "https://github.com/apache/airflow/pull/38266"
+- "https://docs.python.org/3/library/ssl.html#best-defaults"
+- "https://github.com/apache/airflow"
+- "https://github.com/apache/airflow/blob/95e26118b828c364755f3a8c96870f3591b01c31/airflow/providers/ftp/hooks/ftp.py#L280"
+- "https://lists.apache.org/thread/265t5zbmtjs6h9fkw52wtp03nsbplky2"
+uuid: "a2fdbff0-4461-48d5-bea4-649f4b6057fc"
+cwe_ids:
+- "CWE-295"
+- "CWE-937"
+- "CWE-1035"