CVE-2024-25141

CVE-2024-25141: Apache Airflow Mongo Provider: Certificate validation isn't respected even if SSL is enabled for apache-airflow-providers-mongo

Vendor Apache Software Foundation

Product Apache Airflow Mongo Provider

Weakness CWE-295

Published February 20, 2024

Last update February 13, 2025

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

When ssl was enabled for Mongo Hook, default settings included "allow_insecure" which caused that certificates were not validated. This was unexpected and undocumented. Users are recommended to upgrade to version 4.0.0, which fixes this issue.

Key dates

Disclosure timeline

February 20, 2024 CVE published

February 13, 2025 Record updated