CVE-2022-23470

Name of the Vulnerable Software and Affected Versions Galaxy versions 22.01 and higher

Description Galaxy is an open-source platform for data analysis. An arbitrary file read exists due to the switch to Gunicorn, which can be used to read any file accessible to the operating system user under which Galaxy is running. This issue is mitigated when using Nginx or Apache to serve /static/* contents, instead of Galaxy's internal middleware.

Recommendations For Galaxy versions 22.01 and higher, users are advised to manually patch their installations using commit e5e6bda4f. As a temporary workaround, consider using Nginx or Apache to serve /static/* contents instead of Galaxy's internal middleware to minimize the risk of exploitation.