Lucene search

GitHub Advisory DatabaseGHSA-5MP4-32RR-V3X5

HistoryFeb 14, 2024 - 3:08 p.m.

Absolute path traversal vulnerability in digdag server

2024-02-1415:08:23

CWE-22

GitHub Advisory Database

github.com

digdag

server

vulnerability

log files

information disclosure

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

7 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

10.6%

JSON

Summary

Treasure Data’s digdag workload automation system is susceptible to a path traversal vulnerability if it’s configured to store log files locally.

Impact

This issue may lead to Information Disclosure.

Affected configurations

Vulners

Node

io.digdag\digdagMatchserver

CPENameOperatorVersion
io.digdag:digdag-serverlt0.10.5.1

CPE	Name	Operator	Version
	io.digdag:digdag-server	lt	0.10.5.1

References

github.com/advisories/GHSA-5mp4-32rr-v3x5

github.com/treasure-data/digdag/commit/eae89b0daf6c62f12309d8c7194454dfb18cc5c3

github.com/treasure-data/digdag/security/advisories/GHSA-5mp4-32rr-v3x5

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

7 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

10.6%

JSON

Related for GHSA-5MP4-32RR-V3X5