### Vulnerability Overview - **Vulnerability Name**: Validate SMTP server certificate on STARTTLS upgrade #65346 - **Vulnerability Description**: `smtplib.SMTP.starttls()` does not verify the server certificate when no SSL context is passed. `airflow.utils.email.send_raw_email` and the SMTP provider's `get_conn` and `async_get_conn` methods call `starttls()` without a context, causing certificate verification to be skipped during the STARTTLS upgrade. ### Impact Scope - **Affected Components**: - `airflow-core/src/airflow/utils/email.py` - `providers/smtp/src/airflow/providers/smtp/hooks/smtp.py` - **Affected Versions**: Airflow 3.2.2 ### Remediation - **Fix Details**: - Pass the existing SSL context mechanism to `starttls()` at all three call sites. - Extract the SSL context lookup logic from `_get_smtp_connection` into `_build_ssl_context()`, driven by the existing `email.ssl_context` configuration. - Extract the SSL context lookup logic from `_build_ssl_context()` into `_build_ssl_context()`, driven by the existing `ssl_context` connection extra configuration. - **Default Behavior Changes**: - The default SSL context now uses `ssl.create_default_context()`, which verifies against system-trusted CAs. - Users intentionally using self-signed certificates or other scenarios where SMTP server verification is not desired can choose to disable verification: - Core: Set `email.ssl_context = "none"` in `airflow.cfg`. - Provider: Set `ssl_context: "none"` in the SMTP connection extra configuration. - **Test Plan**: - `airflow-core/tests/unit/tests/test_email.py` - 25/25 passed - `providers/smtp/tests/unit/smtp/hooks/test_smtp.py` - 34/34 passed (including updates to synchronous `test_who_called_after_starttls` and asynchronous `test_async_connection` to verify that `starttls` is called with an `ssl.SSLContext`) ### POC Code - No specific POC code or exploit code is included in the page.