Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-23470: Directory traversal attack of static file serving.

Galaxy is an open-source platform for data analysis. An arbitrary file read exists in Galaxy 22.01 and Galaxy 22.05 due to the switch to Gunicorn, which can be used to read any file accessible to the operating system user under which Galaxy is running. This vulnerability affects Galaxy 22.01 and higher, after the switch to gunicorn, which serve static contents directly. Additionally, the vulnerability is mitigated when using Nginx or Apache to serve /static/* contents, instead of Galaxy’s internal middleware. This issue has been patched in commit e5e6bda4f and will be included in future releases. Users are advised to manually patch their installations. There are no known workarounds for this vulnerability.

CVE
#vulnerability#web#apache#nginx

An arbitrary file read exists in Galaxy 22.01 and Galaxy 22.05 due to the switch to Gunicorn, which can be used to read any file accessible to the user under which Galaxy is running.

Impact

This vulnerability affects Galaxy 22.01 and higher, after the switch to gunicorn, which serve static contents directly. Additionally, the vulnerability is mitigated when using Nginx or Apache to serve /static/* contents, instead of Galaxy’s internal middleware.

Deployment Method

Version

Vulnerable

Galaxy Ansible Roles

*

Safe

    • nginx

*

Partially vulnerable, file read is contained to lib/galaxy/webapps/base/ and its subdirectories (which include static which is already exposed intentionally, and templates which was not.)

    • apache

*

Safe

run.sh + nginx

*

Safe

run.sh directly exposed

<22.01

Safe

run.sh directly exposed

>=22.01

Vulnerable

Patches

A patch can be found at:

https://depot.galaxyproject.org/patch/GX-2022-0001/static-traversal.patch

To apply the patch, navigate to the root of your Galaxy directory, then execute:

wget -O - https://depot.galaxyproject.org/patch/GX-2022-0001/static-traversal.patch | patch -p1

or:

curl https://depot.galaxyproject.org/patch/GX-2022-0001/static-traversal.patch | patch -p1

You can test application of the patch before applying it by adding the --dry-run flag to patch.

For the changes to take effect, you must restart all Galaxy server processes.

Workarounds

You must patch with this patch to prevent this vulnerability, if you are in one of the vulnerable configurations.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907