Platform
python
Component
apache-airflow-providers-mongo
Fixed in
4.0.0
4.0.0
CVE-2024-25141 is a critical vulnerability affecting Apache Airflow Providers Mongo versions up to 4.0.0rc1. When SSL is enabled for the Mongo Hook, the default configuration inadvertently includes "allow_insecure", which disables certificate validation. This unexpected behavior exposes sensitive data transmitted to the MongoDB server.
The primary impact of this vulnerability is the potential for man-in-the-middle (MITM) attacks. Because certificate validation is bypassed, an attacker can intercept and potentially modify data transmitted between Apache Airflow and the MongoDB server. This could lead to data breaches, unauthorized access to sensitive information, and even the injection of malicious code into the database. The blast radius extends to any data processed by Airflow that relies on the Mongo Hook, potentially impacting critical business operations and regulatory compliance.
This vulnerability was publicly disclosed on 2024-02-20. While no active exploitation campaigns have been publicly reported, the critical CVSS score and the ease of exploitation (bypassing certificate validation) suggest a potential for exploitation. It is not currently listed on the CISA KEV catalog. Public proof-of-concept code is likely to emerge given the vulnerability's nature.
Exploit Status
EPSS
0.07% (23% percentile)
CVSS Vector
The recommended mitigation is to upgrade to Apache Airflow Providers Mongo version 4.0.0, which resolves this issue. If upgrading is not immediately feasible, consider disabling SSL for the Mongo Hook connection. Alternatively, enforce certificate validation by explicitly configuring the sslcertfile and sslkeyfile parameters in your Airflow connection settings. Review Airflow connection configurations to ensure SSL is properly configured and certificate validation is enabled. After upgrade, confirm by verifying that the allow_insecure setting is no longer present in the Mongo Hook configuration.
Update the apache-airflow-providers-mongo package to version 4.0.0 or higher. This corrects the improper SSL certificate validation. Run `pip install --upgrade apache-airflow-providers-mongo` to update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-25141 is a critical vulnerability in Apache Airflow Providers Mongo where enabling SSL without certificate validation allows for potential MITM attacks.
You are affected if you use Apache Airflow Providers Mongo versions 4.0.0rc1 or earlier and have SSL enabled for your Mongo Hook connections.
Upgrade to Apache Airflow Providers Mongo version 4.0.0. Alternatively, disable SSL or enforce certificate validation in your Airflow connection settings.
No active exploitation campaigns have been publicly reported, but the critical severity suggests a potential for exploitation.
Refer to the Apache Airflow security advisories: https://airflow.apache.org/docs/security
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.