CVE-2022-23470: Directory traversal attack of static file serving.

An arbitrary file read exists in Galaxy 22.01 and Galaxy 22.05 due to the switch to Gunicorn, which can be used to read any file accessible to the user under which Galaxy is running.

Impact

This vulnerability affects Galaxy 22.01 and higher, after the switch to gunicorn, which serve static contents directly. Additionally, the vulnerability is mitigated when using Nginx or Apache to serve /static/* contents, instead of Galaxy’s internal middleware.

Deployment Method

Version

Vulnerable

Galaxy Ansible Roles

*

Safe

• • nginx

*

Partially vulnerable, file read is contained to lib/galaxy/webapps/base/ and its subdirectories (which include static which is already exposed intentionally, and templates which was not.)

• • apache

*

Safe

run.sh + nginx

*

Safe

run.sh directly exposed

<22.01

Safe

run.sh directly exposed

>=22.01

Vulnerable

Patches

A patch can be found at:

https://depot.galaxyproject.org/patch/GX-2022-0001/static-traversal.patch

To apply the patch, navigate to the root of your Galaxy directory, then execute:

wget -O - https://depot.galaxyproject.org/patch/GX-2022-0001/static-traversal.patch | patch -p1

or:

curl https://depot.galaxyproject.org/patch/GX-2022-0001/static-traversal.patch | patch -p1

You can test application of the patch before applying it by adding the --dry-run flag to patch.

For the changes to take effect, you must restart all Galaxy server processes.

Workarounds

You must patch with this patch to prevent this vulnerability, if you are in one of the vulnerable configurations.