Improper Preservation of Permissions Affecting apache-airflow package, versions [2.8.2,2.8.4)


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.05% (18th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-PYTHON-APACHEAIRFLOW-6501609
  • published27 Mar 2024
  • disclosed26 Mar 2024
  • creditMatej Murin

Introduced: 26 Mar 2024

CVE-2024-29735  (opens in a new tab)
CWE-281  (opens in a new tab)

How to fix?

Upgrade apache-airflow to version 2.8.4 or higher.

Overview

apache-airflow is a platform to programmatically author, schedule, and monitor workflows.

Affected versions of this package are vulnerable to Improper Preservation of Permissions when the local file task handler sets permissions for all parent folders of the log folder to writable by the group of the application user. An attacker may be able to modify or delete logs by gaining write access to these folders. In configurations in which this attack affects the home directory, the change can also block SSH operations by other users.

Note: This vulnerability only applies if the Airflow installation is in a shared container or environment with other applications or users, which is not the case for Official Airflow Docker reference images. Furthermore, it does not apply if umask is set to 002, which is a common default.

Workaround

This vulnerability can be avoided by setting the file task handler's new folder permissions (file-task-handler-new-folder-permissions) to 0o755 rather than 0o775.

CVSS Scores

version 3.1