CVE-2022-38170

Summary

In Apache Airflow prior to 2.3.4, an insecure umask was configured for numerous Airflow components when running with the --daemon flag which could result in a race condition giving world-writable files in the Airflow home directory and allowing local users to expose arbitrary file contents via the webserver.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache AirflowApache Airflow <= 2.3.3affected

Weaknesses

  • Overly permissive umask for deamons

Workarounds

Run without the --daemon flag via a process supervisor instead (systemd, runit, etc.).

ADP Enrichment

CVE Program Container

Additional References

References