Apache Airflow EmailOperator SMTP STARTTLS Certificate Validation Vulnerability

A vulnerability exists in Apache Airflow's EmailOperator and the associated 'airflow.utils.email' helpers, specifically in versions 2.0.0 prior to 3.2.2. The issue arises when deployments are configured with 'smtp_starttls=True' and 'smtp_ssl=False', allowing an attacker to intercept the SMTP STARTTLS connection. In this scenario, the attacker could present a self-signed certificate, leading the Airflow worker to complete the STARTTLS handshake without verification. This exploitation could result in the interception of SMTP AUTH credentials and the contents of forwarded messages, particularly in environments where the SMTP relay is on a less-trusted network segment than the worker.

Impact

Exploitation allows for interception of SMTP authentication credentials and message contents sent by the Airflow worker, creating a man-in-the-middle vulnerability during the STARTTLS handshake.

Remediation

Users are advised to upgrade to Apache Airflow version 3.2.2 or later. Instructions for upgrading can be found in the Apache Airflow documentation.