Apache Airflow Providers Google
Monthly
Path traversal in Apache Airflow's Google provider (apache-airflow-providers-google before 22.2.1) lets a principal with write access to a source GCS bucket overwrite arbitrary files on the SFTP server (GCSToSFTPOperator) or the worker host (GCSTimeSpanFileTransformOperator) by crafting a GCS object name containing `..` segments. Because the bucket writer is frequently a lower-trust party than the DAG author (partner uploads, ingest-only service accounts, public-data buckets), exploitation crosses a trust boundary that operators may not have modeled. No public exploit is identified at time of analysis, and CISA SSVC rates exploitation as none, so this is a real but non-default, targeted-risk integrity flaw rather than a mass-exploitable one.
Improper Input Validation vulnerability in the Apache Airflow Google Provider.10.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Improper Input Validation vulnerability in the Apache Airflow Google Provider.10.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Path traversal in Apache Airflow's Google provider (apache-airflow-providers-google before 22.2.1) lets a principal with write access to a source GCS bucket overwrite arbitrary files on the SFTP server (GCSToSFTPOperator) or the worker host (GCSTimeSpanFileTransformOperator) by crafting a GCS object name containing `..` segments. Because the bucket writer is frequently a lower-trust party than the DAG author (partner uploads, ingest-only service accounts, public-data buckets), exploitation crosses a trust boundary that operators may not have modeled. No public exploit is identified at time of analysis, and CISA SSVC rates exploitation as none, so this is a real but non-default, targeted-risk integrity flaw rather than a mass-exploitable one.
Improper Input Validation vulnerability in the Apache Airflow Google Provider.10.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Improper Input Validation vulnerability in the Apache Airflow Google Provider.10.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.