CVE-2023-25392: 
Python vulnerability analysis and mitigation

Allegro Tech BigFlow versions prior to 1.6 were found to be vulnerable to Missing SSL Certificate Validation (CVE-2023-25392). The vulnerability was discovered in December 2022 and was fixed with the release of BigFlow 1.6.0 in February 2023. The issue affected the getvaulttoken() function in the deployment module (Lutra Security).

The vulnerability exists in the getvaulttoken() function within bigflow/deploy.py, where requests to the vault endpoint were made with SSL certificate validation disabled (verify=False). This implementation could allow a man-in-the-middle attacker to intercept communications between the client and server. The vulnerability has been assigned a CVSS v3.1 base score of 5.9 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N (NVD).

The vulnerability could allow a man-in-the-middle attacker to read the vault secret and gain unauthorized access to the vault. The issue affects multiple entry points including bigflow deploy, bigflow deploy-dags, and bigflow build-image commands (Lutra Security).

The vulnerability has been fixed in BigFlow version 1.6.0. Users should upgrade to this version or later to address the security issue. The fix was implemented through a pull request that enabled TLS certificate verification in the getvaulttoken() function (GitHub PR).