GHSA-q8h9-pqcx-59hw
Suggest an improvement- Source
- https://github.com/advisories/GHSA-q8h9-pqcx-59hw
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-q8h9-pqcx-59hw/GHSA-q8h9-pqcx-59hw.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-q8h9-pqcx-59hw
- Aliases
- Published
- 2022-09-03T00:00:25Z
- Modified
- 2024-09-11T20:04:01.348727Z
- Severity
-
- 4.7 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- 5.7 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Apache Airflow exposes arbitrary file content
- Details
-
In Apache Airflow prior to 2.3.4, an insecure umask was configured for numerous Airflow components when running with the
--daemonflag which could result in a race condition giving world-writable files in the Airflow home directory and allowing local users to expose arbitrary file contents via the webserver. - Database specific
{ "github_reviewed_at": "2022-09-16T17:13:45Z", "severity": "MODERATE", "cwe_ids": [ "CWE-362" ], "github_reviewed": true, "nvd_published_at": "2022-09-02T07:15:00Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2022-38170
- https://github.com/apache/airflow/commit/b6a2cd1aa34f69a36ea127e4f7f5ba87f4aca420
- https://github.com/apache/airflow/commit/bf01d10cd348e679916034de1befb79ec6e46ff8
- https://github.com/apache/airflow/commit/c14ea8f0f34944d2ecfa9021d167602e8b2b8b90
- https://github.com/advisories/GHSA-q8h9-pqcx-59hw
- https://github.com/apache/airflow
- https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2022-261.yaml
- https://lists.apache.org/thread/zn8mbbb1j2od5nc9zhrvb7rpsrg1vvzv
- http://www.openwall.com/lists/oss-security/2022/09/02/12
- http://www.openwall.com/lists/oss-security/2022/09/02/3
- http://www.openwall.com/lists/oss-security/2022/09/21/2
Affected packages
PyPI / apache-airflow
Package
- Name
- apache-airflow
- View open source insights on deps.dev
- Purl
- pkg:pypi/apache-airflow
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.3.4
Affected versions
1.*
1.8.1
1.8.2rc1
1.8.2
1.9.0
1.10.0
1.10.1b1
1.10.1rc2
1.10.1
1.10.2b2
1.10.2rc1
1.10.2rc2
1.10.2rc3
1.10.2
1.10.3b1
1.10.3b2
1.10.3rc1
1.10.3rc2
1.10.3
1.10.4b2
1.10.4rc1
1.10.4rc2
1.10.4rc3
1.10.4rc4
1.10.4rc5
1.10.4
1.10.5rc1
1.10.5
1.10.6rc1
1.10.6rc2
1.10.6
1.10.7rc1
1.10.7rc2
1.10.7rc3
1.10.7
1.10.8rc1
1.10.8
1.10.9rc1
1.10.9
1.10.10rc1
1.10.10rc2
1.10.10rc3
1.10.10rc4
1.10.10rc5
1.10.10
1.10.11rc1
1.10.11rc2
1.10.11
1.10.12rc1
1.10.12rc2
1.10.12rc3
1.10.12rc4
1.10.12
1.10.13rc1
1.10.13
1.10.14rc1
1.10.14rc2
1.10.14rc3
1.10.14rc4
1.10.14
1.10.15rc1
1.10.15
2.*
2.0.0b1
2.0.0b2
2.0.0b3
2.0.0rc1
2.0.0rc2
2.0.0rc3
2.0.0
2.0.1rc1
2.0.1rc2
2.0.1
2.0.2rc1
2.0.2
2.1.0rc1
2.1.0rc2
2.1.0
2.1.1rc1
2.1.1
2.1.2rc1
2.1.2
2.1.3rc1
2.1.3
2.1.4rc1
2.1.4rc2
2.1.4
2.2.0b1
2.2.0b2
2.2.0rc1
2.2.0
2.2.1rc1
2.2.1rc2
2.2.1
2.2.2rc1
2.2.2rc2
2.2.2
2.2.3rc1
2.2.3rc2
2.2.3
2.2.4rc1
2.2.4
2.2.5rc1
2.2.5rc2
2.2.5rc3
2.2.5
2.3.0b1
2.3.0rc1
2.3.0rc2
2.3.0
2.3.1rc1
2.3.1
2.3.2rc1
2.3.2rc2
2.3.2
2.3.3rc1
2.3.3rc2
2.3.3rc3
2.3.3
2.3.4rc1