CVE-2022-38170
Insecure Umask vulnerability in apache-airflow (PyPI)
What is CVE-2022-38170 About?
In Apache Airflow prior to 2.3.4, an insecure umask was configured when running with the '--daemon' flag. This creates a race condition that can result in world-writable files in the Airflow home directory, allowing local users to expose arbitrary file contents via the webserver. The vulnerability is local and relies on a race condition, making it moderately complex to exploit reliably.
Affected Software
Technical Details
Apache Airflow versions prior to 2.3.4, when started with the '--daemon' flag, configured an insecure umask value. A umask defines the default file permission settings for new files and directories. An insecure umask allows newly created files to have overly permissive write permissions, potentially making them world-writable. This creates a race condition where a local attacker can exploit the brief window between a file's creation and its permissions being properly set (if they are ever set). By winning this race, an attacker can modify world-writable files in the Airflow home directory. Combined with Airflow's webserver functionality, this could be leveraged to expose the contents of arbitrary files from the Airflow server's filesystem, assuming the attacker can replace or symlink a file that the webserver would then serve.
What is the Impact of CVE-2022-38170?
Successful exploitation may allow local attackers to expose arbitrary file contents via the webserver, leading to the disclosure of sensitive information such as configuration files, credentials, or other private data. It can compromise the confidentiality of the system.
What is the Exploitability of CVE-2022-38170?
Exploitation requires local access to the Airflow server and relies on a race condition, making it moderately complex. The attacker needs to be a local user on the system running Airflow. No specific authentication to the Airflow web application is required, but local system access is essential. The attack is local. Special conditions include the Airflow instance running with the '--daemon' flag, and the attacker successfully winning the race condition to modify file permissions or content. Risk factors that increase exploitation likelihood include a multi-user environment where untrusted local users have access to the server, and a consistent timing window for the race condition.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-38170?
Available Upgrade Options
- apache-airflow
- <2.3.4 → Upgrade to 2.3.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- http://www.openwall.com/lists/oss-security/2022/09/02/3
- https://github.com/apache/airflow/commit/b6a2cd1aa34f69a36ea127e4f7f5ba87f4aca420
- http://www.openwall.com/lists/oss-security/2022/09/02/3
- http://www.openwall.com/lists/oss-security/2022/09/02/12
- https://github.com/advisories/GHSA-q8h9-pqcx-59hw
- https://lists.apache.org/thread/zn8mbbb1j2od5nc9zhrvb7rpsrg1vvzv
- https://github.com/apache/airflow
- http://www.openwall.com/lists/oss-security/2022/09/02/12
- https://github.com/apache/airflow/commit/c14ea8f0f34944d2ecfa9021d167602e8b2b8b90
- http://www.openwall.com/lists/oss-security/2022/09/21/2
What are Similar Vulnerabilities to CVE-2022-38170?
Similar Vulnerabilities: CVE-2023-37920 , CVE-2021-36743 , CVE-2020-13943 , CVE-2019-12386 , CVE-2018-11760
