प्लेटफ़ॉर्म
python
घटक
apache-airflow-providers-mongo
में ठीक किया गया
4.0.0
4.0.0
CVE-2024-25141 is a critical vulnerability affecting Apache Airflow Providers Mongo versions up to 4.0.0rc1. When SSL is enabled for the Mongo Hook, the default configuration inadvertently includes "allow_insecure", which disables certificate validation. This unexpected behavior exposes sensitive data transmitted to the MongoDB server.
The primary impact of this vulnerability is the potential for man-in-the-middle (MITM) attacks. Because certificate validation is bypassed, an attacker can intercept and potentially modify data transmitted between Apache Airflow and the MongoDB server. This could lead to data breaches, unauthorized access to sensitive information, and even the injection of malicious code into the database. The blast radius extends to any data processed by Airflow that relies on the Mongo Hook, potentially impacting critical business operations and regulatory compliance.
This vulnerability was publicly disclosed on 2024-02-20. While no active exploitation campaigns have been publicly reported, the critical CVSS score and the ease of exploitation (bypassing certificate validation) suggest a potential for exploitation. It is not currently listed on the CISA KEV catalog. Public proof-of-concept code is likely to emerge given the vulnerability's nature.
Organizations using Apache Airflow to manage data pipelines and interacting with MongoDB databases are at risk, particularly those relying on the apache-airflow-providers-mongo package. Environments where SSL is enabled for Mongo connections without proper certificate validation are especially vulnerable. Shared hosting environments utilizing Airflow and MongoDB should be prioritized for remediation.
• python / airflow:
import airflow
from airflow.providers.mongo.hooks.mongo import MongoHook
# Check for allow_insecure setting in Airflow connections
for conn_id in airflow.configuration.get('connections'):
hook = MongoHook(conn_id=conn_id)
if hasattr(hook.conn, 'extra_defo'):
if 'allow_insecure' in hook.conn.extra_defo and hook.conn.extra_defo['allow_insecure'] == True:
print(f"VULNERABLE: Connection {conn_id} has allow_insecure enabled.")disclosure
एक्सप्लॉइट स्थिति
EPSS
0.07% (23% शतमक)
CVSS वेक्टर
The recommended mitigation is to upgrade to Apache Airflow Providers Mongo version 4.0.0, which resolves this issue. If upgrading is not immediately feasible, consider disabling SSL for the Mongo Hook connection. Alternatively, enforce certificate validation by explicitly configuring the sslcertfile and sslkeyfile parameters in your Airflow connection settings. Review Airflow connection configurations to ensure SSL is properly configured and certificate validation is enabled. After upgrade, confirm by verifying that the allow_insecure setting is no longer present in the Mongo Hook configuration.
apache-airflow-providers-mongo पैकेज को संस्करण 4.0.0 या उच्चतर में अपडेट करें। यह SSL प्रमाणपत्रों के अनुचित सत्यापन को ठीक करता है। अपडेट करने के लिए `pip install --upgrade apache-airflow-providers-mongo` चलाएँ।
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2024-25141 is a critical vulnerability in Apache Airflow Providers Mongo where enabling SSL without certificate validation allows for potential MITM attacks.
You are affected if you use Apache Airflow Providers Mongo versions 4.0.0rc1 or earlier and have SSL enabled for your Mongo Hook connections.
Upgrade to Apache Airflow Providers Mongo version 4.0.0. Alternatively, disable SSL or enforce certificate validation in your Airflow connection settings.
No active exploitation campaigns have been publicly reported, but the critical severity suggests a potential for exploitation.
Refer to the Apache Airflow security advisories: https://airflow.apache.org/docs/security
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी requirements.txt फ़ाइल अपलोड करें और तुरंत जानें कि आप प्रभावित हैं या नहीं।