Improper Preservation of Permissions Affecting apache-airflow package, versions [2.8.2,2.8.4)
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-APACHEAIRFLOW-6501609
- published 27 Mar 2024
- disclosed 26 Mar 2024
- credit Matej Murin
Introduced: 26 Mar 2024
CVE-2024-29735 Open this link in a new tabHow to fix?
Upgrade apache-airflow to version 2.8.4 or higher.
Overview
apache-airflow is a platform to programmatically author, schedule, and monitor workflows.
Affected versions of this package are vulnerable to Improper Preservation of Permissions when the local file task handler sets permissions for all parent folders of the log folder to writable by the group of the application user. An attacker may be able to modify or delete logs by gaining write access to these folders. In configurations in which this attack affects the home directory, the change can also block SSH operations by other users.
Note: This vulnerability only applies if the Airflow installation is in a shared container or environment with other applications or users, which is not the case for Official Airflow Docker reference images. Furthermore, it does not apply if umask is set to 002, which is a common default.
Workaround
This vulnerability can be avoided by setting the file task handler's new folder permissions (file-task-handler-new-folder-permissions) to 0o755 rather than 0o775.