You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@airflow.apache.org by Jedidiah Cunningham <je...@apache.org> on 2022/09/02 03:55:07 UTC

CVE-2022-38170: Apache Airflow: Overly permissive umask for deamons

Description:

In Apache Airflow prior to 2.3.4, an insecure umask was configured for numerous Airflow components when running with the  `--deamon` flag which could result in a race condition giving world-writable files in the Airflow home directory and allowing local users to expose arbitrary file contents via the webserver.

Mitigation:

Run without the `--deamon` flag via a process supervisor instead (systemd, runit, etc.).

Credit:

The Apache Airflow PMC would like to thank Harry Sintonen for reporting this issue.

Re: CVE-2022-38170: Apache Airflow: Overly permissive umask for deamons

Posted by Jed Cunningham <je...@apache.org>.

And shoutout to Drew Hubl for noticing the "deamon" typo 🤦‍♂️. I've
already fixed it so it'll be correct when the CVE is published.