PT-2024-2708 · Apache · Apache Airflow
Matej Murin
·
Published
2024-03-26
·
Updated
2025-05-07
·
CVE-2024-29735
CVSS v2.0
5.6
Medium
| Vector | AV:N/AC:H/Au:S/C:N/I:C/A:P |
Name of the Vulnerable Software and Affected Versions
Apache Airflow versions 2.8.2 through 2.8.3
Description
The issue is related to improper preservation of permissions in Apache Airflow, which can allow a remote attacker to gain write access to arbitrary files in the file system. This is due to Airflow's local file task handler incorrectly setting permissions for all parent folders of the log folder, adding write access to the Unix group of the folders. If Airflow is run with the root user, it can add group write permission to all folders up to the root of the filesystem. This may impact the ability to run SSH operations if log files are stored in the home directory. Users who use Official Airflow Docker reference images or have a umask of 002 (group write enabled) are not affected.
Recommendations
- If you are using root to run Airflow, change your Airflow user to use non-root
- Upgrade Apache Airflow to 2.8.4 or above
- If you prefer not to upgrade, you can change the file task handler new folder permissions to 0o755 (original value 0o775)
- If you already ran Airflow tasks before and your default umask is 022 (group write disabled), stop Airflow components, check permissions of AIRFLOW HOME/logs in all your components and all parent directories of this directory, and remove group write access for all the parent directories
Fix
Improper Preservation of Permissions
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Airflow