CVE-2018-20245: LDAP auth backend did not validate SSL certificate for
Apache Airflow <= 1.10.0
Vendor: The Apache Software Foundation
Versions Affected: <= 1.10.0
Description:
The LDAP auth backend (airflow.contrib.auth.backends.ldap_auth) was
misconfigured and contained improper checking of exceptions which
disabled server certificate checking.
Apache Airflow 1.10.1+ now only supports TLS connections and does not
support insecure connections to LDAP servers any more. (Self-signed
certificates are allowed if you pass in the expected server certificate
as the "cacert" option under the "[ldap]" section of the config.)
Credit:
This issue was discovered by Stijn van Drongelen
Thanks,
Ash Berlin-Taylor
