Improper Preservation of Permissions vulnerability in Apache Airflow
CVE-2024-29735

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Airflow
Vendor: CVE Published:; 26 March 2024

Summary

An improper preservation of permissions vulnerability exists in Apache Airflow versions 2.8.2 through 2.8.3 due to incorrect permission settings for parent directories of the log folder. This vulnerability can inadvertently allow write access to the Unix group of these directories, particularly if Airflow is executed with elevated root access. Users storing log files in their home directory may find their systems affected during SSH operations, as home directories can become group-writable. This issue is mitigated for users running containers with the official Airflow Docker images or those with a predefined umask of 002. Recommended mitigation includes upgrading to Apache Airflow 2.8.4 or adjusting the file task handler's permissions.

Affected Version(s)

Apache Airflow 2.8.2 <= 2.8.3

References

https://github.com/apache/airflow/pull/37310

patch

https://lists.apache.org/thread/8khb1rtbznh100o325fb8xw5w...

vendor-advisory

http://www.openwall.com/lists/oss-security/2024/03/26/2

Timeline

Vulnerability published
Mar 26, 2024
Vulnerability Reserved
Mar 19, 2024

Credit

Matej Murin