First published: Fri Sep 02 2022(Updated: )
In Apache Airflow prior to 2.3.4, an insecure umask was configured for numerous Airflow components when running with the `--daemon` flag which could result in a race condition giving world-writable files in the Airflow home directory and allowing local users to expose arbitrary file contents via the webserver.
Credit: security@apache.org security@apache.org
Affected Software | Affected Version | How to fix |
---|---|---|
Apache Airflow | <2.3.4 | |
pip/apache-airflow | <2.3.4 | 2.3.4 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID is CVE-2022-38170.
The severity of CVE-2022-38170 is medium with a CVSS score of 4.7.
CVE-2022-38170 is a vulnerability in Apache Airflow prior to 2.3.4 that allows local users to expose arbitrary file contents via a race condition and insecure umask configuration.
CVE-2022-38170 affects Apache Airflow versions up to and including 2.3.4.
Yes, you can find references for CVE-2022-38170 at the following URLs: [1](http://www.openwall.com/lists/oss-security/2022/09/02/12), [2](http://www.openwall.com/lists/oss-security/2022/09/02/3), [3](http://www.openwall.com/lists/oss-security/2022/09/21/2).