Search criteria
1 vulnerability by treasure-data
CVE-2024-25125 (GCVE-0-2024-25125)
Vulnerability from cvelistv5 – Published: 2024-02-14 01:12 – Updated: 2024-08-14 18:51
VLAI?
Summary
Digdag is an open source tool that to build, run, schedule, and monitor complex pipelines of tasks across various platforms. Treasure Data's digdag workload automation system is susceptible to a path traversal vulnerability if it's configured to store log files locally. This issue may lead to information disclosure and has been addressed in release version 0.10.5.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
5.3 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| treasure-data | digdag |
Affected:
< 0.10.5.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:36:21.665Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/treasure-data/digdag/security/advisories/GHSA-5mp4-32rr-v3x5",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/treasure-data/digdag/security/advisories/GHSA-5mp4-32rr-v3x5"
},
{
"name": "https://github.com/treasure-data/digdag/commit/eae89b0daf6c62f12309d8c7194454dfb18cc5c3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/treasure-data/digdag/commit/eae89b0daf6c62f12309d8c7194454dfb18cc5c3"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:digdag:digdag:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "digdag",
"vendor": "digdag",
"versions": [
{
"lessThan": "0.10.5.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-25125",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-14T18:20:11.079760Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-14T18:51:43.903Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "digdag",
"vendor": "treasure-data",
"versions": [
{
"status": "affected",
"version": "\u003c 0.10.5.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Digdag is an open source tool that to build, run, schedule, and monitor complex pipelines of tasks across various platforms. Treasure Data\u0027s digdag workload automation system is susceptible to a path traversal vulnerability if it\u0027s configured to store log files locally. This issue may lead to information disclosure and has been addressed in release version 0.10.5.1. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-14T01:12:05.181Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/treasure-data/digdag/security/advisories/GHSA-5mp4-32rr-v3x5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/treasure-data/digdag/security/advisories/GHSA-5mp4-32rr-v3x5"
},
{
"name": "https://github.com/treasure-data/digdag/commit/eae89b0daf6c62f12309d8c7194454dfb18cc5c3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/treasure-data/digdag/commit/eae89b0daf6c62f12309d8c7194454dfb18cc5c3"
}
],
"source": {
"advisory": "GHSA-5mp4-32rr-v3x5",
"discovery": "UNKNOWN"
},
"title": "Absolute path traversal vulnerability in digdag server"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-25125",
"datePublished": "2024-02-14T01:12:05.181Z",
"dateReserved": "2024-02-05T14:14:46.380Z",
"dateUpdated": "2024-08-14T18:51:43.903Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}