Matej Murin

**Name of the Vulnerable Software and Affected Versions** Apache Airflow versions 2.8.2 through 2.8.3 **Description** The issue is related to improper preservation of permissions in Apache Airflow, which can allow a remote attacker to gain write access to arbitrary files in the file system. This is due to Airflow's local file task handler incorrectly setting permissions for all parent folders of the log folder, adding write access to the Unix group of the folders. If Airflow is run with the root user, it can add group write permission to all folders up to the root of the filesystem. This may impact the ability to run SSH operations if log files are stored in the home directory. Users who use Official Airflow Docker reference images or have a umask of 002 (group write enabled) are not affected. **Recommendations** * If you are using root to run Airflow, change your Airflow user to use non-root * Upgrade Apache Airflow to 2.8.4 or above * If you prefer not to upgrade, you can change the file task handler new folder permissions to 0o755 (original value 0o775) * If you already ran Airflow tasks before and your default umask is 022 (group write disabled), stop Airflow components, check permissions of AIRFLOW HOME/logs in all your components and all parent directories of this directory, and remove group write access for all the parent directories