What is CVE-2022-23470?

CVE-2022-23470 is a vulnerability in the Galaxy open-source platform for data analysis that allows for arbitrary file read.

How does CVE-2022-23470 affect Galaxy?

CVE-2022-23470 affects Galaxy versions 22.01 and 22.05, allowing an attacker to read any file accessible to the operating system user under which Galaxy is running.

What is the severity of CVE-2022-23470?

The severity of CVE-2022-23470 is high with a CVSS score of 7.5.

How do I fix CVE-2022-23470?

To fix CVE-2022-23470, it is recommended to update Galaxy to a patched version or apply the necessary security patches provided by Galaxyproject.

Where can I find more information about CVE-2022-23470?

More information about CVE-2022-23470 can be found in the GitHub commit and security advisories provided by Galaxyproject.

Vulnerability/
CVE-2022-23470

high

8.6

CWE

6/12/2022

23/4/2025

CVE-2022-23470: Arbitrary file access in the Galaxy data analysis platform

First published: Tue Dec 06 2022(Updated: )

Galaxy is an open-source platform for data analysis. An arbitrary file read exists in Galaxy 22.01 and Galaxy 22.05 due to the switch to Gunicorn, which can be used to read any file accessible to the operating system user under which Galaxy is running. This vulnerability affects Galaxy 22.01 and higher, after the switch to gunicorn, which serve static contents directly. Additionally, the vulnerability is mitigated when using Nginx or Apache to serve /static/* contents, instead of Galaxy's internal middleware. This issue has been patched in commit `e5e6bda4f` and will be included in future releases. Users are advised to manually patch their installations. There are no known workarounds for this vulnerability.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Galaxyproject Galaxy	>=22.01<=22.05

Remedy

https://github.com/galaxyproject/galaxy/commit/e5e6bda4f014f807ca77ee0cf6af777a55918346

Remedy

https://github.com/galaxyproject/galaxy/security/advisories/GHSA-grjf-2ghx-q77x

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2022-23470?
CVE-2022-23470 is a vulnerability in the Galaxy open-source platform for data analysis that allows for arbitrary file read.
How does CVE-2022-23470 affect Galaxy?
CVE-2022-23470 affects Galaxy versions 22.01 and 22.05, allowing an attacker to read any file accessible to the operating system user under which Galaxy is running.
What is the severity of CVE-2022-23470?
The severity of CVE-2022-23470 is high with a CVSS score of 7.5.
How do I fix CVE-2022-23470?
To fix CVE-2022-23470, it is recommended to update Galaxy to a patched version or apply the necessary security patches provided by Galaxyproject.
Where can I find more information about CVE-2022-23470?
More information about CVE-2022-23470 can be found in the GitHub commit and security advisories provided by Galaxyproject.

collector/nvd-index
agent/references
agent/type
agent/softwarecombine
agent/remedy
collector/mitre-cve
source/MITRE
agent/author
agent/last-modified-date
agent/weakness
agent/severity
agent/title
agent/description
agent/first-publish-date
agent/event
agent/tags
agent/source
vendor/galaxyproject
canonical/galaxyproject galaxy
version/galaxyproject galaxy/22.01
version/galaxyproject galaxy/22.05

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.