Wiz
Vulnerability DatabaseCVE-2024-29733

CVE-2024-29733
Python vulnerability analysis and mitigation

Overview

CVE-2024-29733 is an Improper Certificate Validation vulnerability affecting Apache Airflow FTP Provider versions before 3.7.0. The vulnerability was discovered by Eric Brown of Secure Sauce LLC and disclosed in April 2024. The issue exists in the FTP hook component which lacks complete certificate validation in FTP_TLS connections (Apache Security).

Technical details

The vulnerability stems from incomplete certificate validation in FTP_TLS connections within the Apache Airflow FTP Provider. The CVSS v3.1 base score is 2.7 (LOW) with vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N. The issue is classified as CWE-295 (Improper Certificate Validation) (NVD).

Impact

The vulnerability could potentially be leveraged to perform man-in-the-middle attacks due to improper certificate validation in FTP_TLS connections. This could lead to unauthorized access to sensitive information transmitted over these connections (Apache Security).

Mitigation and workarounds

Users are recommended to upgrade to Apache Airflow FTP Provider version 3.7.0 or later, which fixes the issue by implementing proper certificate validation. The fix involves passing context=ssl.createdefaultcontext() during FTP_TLS instantiation to validate the certificates properly (Apache Security, GitHub PR).

Additional resources

SourceThis report was generated using AI

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues

Cloud threat landscape

Cloud threat landscape

A comprehensive threat intelligence database of cloud security incidents, actors, tools and techniques

PEACH

PEACH

A step-by-step framework for modeling and improving SaaS and PaaS tenant isolation

Get a personalized demo

Ready to see Wiz in action?

“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo