Vulnerability Details CVE-2024-25141
When ssl was enabled for Mongo Hook, default settings included "allow_insecure" which caused that certificates were not validated. This was unexpected and undocumented.
Users are recommended to upgrade to version 4.0.0, which fixes this issue.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 22.6%
CVSS Severity
CVSS v3 Score 9.1
References
- http://www.openwall.com/lists/oss-security/2024/02/20/5
- https://github.com/apache/airflow/pull/37214
- https://lists.apache.org/thread/sqgbfqngjmn45ommmrgj7hvs7fgspsgm
- http://www.openwall.com/lists/oss-security/2024/02/20/5
- https://github.com/apache/airflow/pull/37214
- https://lists.apache.org/thread/sqgbfqngjmn45ommmrgj7hvs7fgspsgm
Products affected by CVE-2024-25141
-
cpe:2.3:a:apache:apache-airflow-providers-mongo:1.0.0
-
cpe:2.3:a:apache:apache-airflow-providers-mongo:1.0.1
-
cpe:2.3:a:apache:apache-airflow-providers-mongo:2.0.0
-
cpe:2.3:a:apache:apache-airflow-providers-mongo:2.1.0
-
cpe:2.3:a:apache:apache-airflow-providers-mongo:2.2.0
-
cpe:2.3:a:apache:apache-airflow-providers-mongo:2.3.0
-
cpe:2.3:a:apache:apache-airflow-providers-mongo:2.3.1
-
cpe:2.3:a:apache:apache-airflow-providers-mongo:2.3.2
-
cpe:2.3:a:apache:apache-airflow-providers-mongo:2.3.3
-
cpe:2.3:a:apache:apache-airflow-providers-mongo:3.0.0
-
cpe:2.3:a:apache:apache-airflow-providers-mongo:3.1.0
-
cpe:2.3:a:apache:apache-airflow-providers-mongo:3.1.1
-
cpe:2.3:a:apache:apache-airflow-providers-mongo:3.2.0
-
cpe:2.3:a:apache:apache-airflow-providers-mongo:3.2.1
-
cpe:2.3:a:apache:apache-airflow-providers-mongo:3.2.2
-
cpe:2.3:a:apache:apache-airflow-providers-mongo:3.3.0
-
cpe:2.3:a:apache:apache-airflow-providers-mongo:3.4.0
-
cpe:2.3:a:apache:apache-airflow-providers-mongo:3.5.0
-
cpe:2.3:a:apache:apache-airflow-providers-mongo:3.6.0