x/vulndb: potential Go vuln in github.com/apache/airflow: CVE-2024-25141

[GoVulnBot]

CVE-2024-25141 references github.com/apache/airflow, which may be a Go module.

Description:
When ssl was enabled for Mongo Hook, default settings included "allow_insecure" which caused that certificates were not validated. This was unexpected and undocumented.
Users are recommended to upgrade to version 4.0.0, which fixes this issue.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-25141
• JSON: https://github.com/CVEProject/cvelist/tree/1435befe123b77be9c89de0f0394bd647c418fa5/2024/25xxx/CVE-2024-25141.json
• fix: Adding certificate validation for ssl in mongo hook apache/airflow#37214
• web: https://lists.apache.org/thread/sqgbfqngjmn45ommmrgj7hvs7fgspsgm
• Imported by: https://pkg.go.dev/github.com/apache/airflow?tab=importedby

Cross references:

• Module github.com/apache/airflow appears in issue x/vulndb: potential Go vuln in github.com/apache/airflow: CVE-2023-50943 #2473 NOT_GO_CODE
• Module github.com/apache/airflow appears in issue x/vulndb: potential Go vuln in github.com/apache/airflow: CVE-2023-50944 #2474 NOT_GO_CODE
• Module github.com/apache/airflow appears in issue x/vulndb: potential Go vuln in github.com/apache/airflow: CVE-2023-51702 #2475 NOT_GO_CODE

See doc/triage.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/apache/airflow
      vulnerable_at: 1.8.2
      packages:
        - package: Apache Airflow Mongo Provider
cves:
    - CVE-2024-25141
references:
    - fix: https://github.com/apache/airflow/pull/37214
    - web: https://lists.apache.org/thread/sqgbfqngjmn45ommmrgj7hvs7fgspsgm

[gopherbot]

Change https://go.dev/cl/590855 mentions this issue: data/excluded: add 20 excluded reports