Nixpkgs security tracker
6.5 MEDIUM
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): High (H)
- Privileges Required (PR): None (N)
- User Interaction (UI): None (N)
- Scope (S): Unchanged (U)
- Confidentiality (C): None (N)
- Integrity (I): High (H)
- Availability (A): Low (L)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): High (H)
- Modified Privileges Required (MPR): None (N)
- Modified User Interaction (MUI): None (N)
- Modified Confidentiality (MC): None (N)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): High (H)
- Modified Availability (MA): Low (L)
Activity log
- Created suggestion
Kestra task inputFiles accepts traversal filenames for worker file writes
Kestra is an open-source, event-driven orchestration platform. Prior to versions 1.3.19, 1.2.19, 1.1.19, and 1.0.43, Kestra task `inputFiles` writes rendered file names directly under the task working directory. When a flow forwards untrusted execution or webhook data into an `inputFiles` file name, a caller can use `../` path segments to create or overwrite files outside that task working directory on the worker filesystem. Versions 1.3.19, 1.2.19, 1.1.19, and 1.0.43 patch the issue.
References
-
https://github.com/kestra-io/kestra/security/advisories/GHSA-q3fw-mvgv-pjr2 x_refsource_CONFIRM
Affected products
- ==< 1.0.43
- ==>= 1.3.0, < 1.3.19
- ==>= 1.2.0, < 1.2.19
- ==>= 1.1.0, < 1.1.19
Matching in nixpkgs
pkgs.python313Packages.kestra
Infinitely scalable orchestration and scheduling platform, creating, running, scheduling, and monitoring millions of complex pipelines
pkgs.python314Packages.kestra
Infinitely scalable orchestration and scheduling platform, creating, running, scheduling, and monitoring millions of complex pipelines
Package maintainers
-
@DataHearth DataHearth <dev@antoine-langlois.net>