Miggo Logo
Miggo Vulnerability Database
CVE-2024-25141

CVE-2024-25141: Improper Certificate Validation in apache airflow mongo hook

9.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-25141
GHSA ID
GHSA-x5pm-h33q-cjrw
EPSS Score
0.11679%
CWE
CWE-295
Published
2/20/2024
Updated
8/15/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
apache-airflow-providers-mongopip< 4.0.04.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from how SSL configuration was handled in the MongoDB connection setup. The patch in apache/airflow#37214 shows the get_conn method was modified to remove insecure defaults. Previously, when SSL was enabled, certificate validation was disabled by default through implicit 'allow_insecure' behavior (via CERT_NONE/True values). This matches the CWE-295 description of improper certificate validation and aligns with the CVE description about unexpected insecure defaults.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W**n ssl w*s *n**l** *or Mon*o *ook, ****ult s*ttin*s in*lu*** "*llow_ins**ur*" w*i** **us** t**t **rti*i**t*s w*r* not v*li**t**. T*is w*s un*xp**t** *n* un*o*um*nt**. Us*rs *r* r**omm*n*** to up*r*** to v*rsion *.*.*, w*i** *ix*s t*is issu*.

Reasoning

T** vuln*r**ility st*ms *rom *ow SSL *on*i*ur*tion w*s **n*l** in t** Mon*o** *onn**tion s*tup. T** p*t** in *p****/*ir*low#***** s*ows t** **t_*onn m*t*o* w*s mo*i*i** to r*mov* ins**ur* ****ults. Pr*viously, w**n SSL w*s *n**l**, **rti*i**t* v*li**