CVE-2022-38170

MEDIUM Year: 2022
CVSS v3 Score
4.7
Medium
Weakness Type
CWE-732
View all →

Vulnerability Description

In Apache Airflow prior to 2.3.4, an insecure umask was configured for numerous Airflow components when running with the `--daemon` flag which could result in a race condition giving world-writable files in the Airflow home directory and allowing local users to expose arbitrary file contents via the webserver.

Related Vulnerabilities

CVE-2017-0913

MEDIUM
CVSS:4.7(Medium)

Ubiquiti UCRM versions 2.3.0 to 2.7.7 allow an authenticated user to read arbitrary files in the local file system. Note that by default, the local file system is isolated in a docker container. Succe...

CWE-7322017

CVE-2017-1000461

MEDIUM
CVSS:4.7(Medium)

Brave Software's Brave Browser, version 0.19.73 (and earlier) is vulnerable to an incorrect access control issue in the "JS fingerprinting blocking" component, resulting in a malicious website being a...

CWE-7322017

CVE-2017-9079

MEDIUM
CVSS:4.7(Medium)

Dropbear before 2017.75 might allow local users to read certain files as root, if the file has the authorized_keys file format with a command= option. This occurs because ~/.ssh/authorized_keys is rea...

CWE-7322017

CVE-2018-5516

MEDIUM
CVSS:4.7(Medium)

On F5 BIG-IP 13.0.0-13.1.0.5, 12.1.0-12.1.2, or 11.2.1-11.6.3.1, Enterprise Manager 3.1.1, BIG-IQ Centralized Management 5.0.0-5.4.0 or 4.6.0, BIG-IQ Cloud and Orchestration 1.0.0, or F5 iWorkflow 2.0...

CWE-7322018

CVE-2020-15910

MEDIUM
CVSS:4.7(Medium)

SolarWinds N-Central version 12.3 GA and lower does not set the JSESSIONID attribute to HTTPOnly. This makes it possible to influence the cookie with javascript. An attacker could send the user to a p...

CWE-7322020

CVE-2023-47801

MEDIUM
CVSS:4.7(Medium)

An issue was discovered in Click Studios Passwordstate before 9811. Existing users (Security Administrators) could use the System Wide API Key to read or delete private password records when specifica...

CWE-7322023