CVE-2022-23470
CVSS V2 None
CVSS V3 None
Description
Galaxy is an open-source platform for data analysis. An arbitrary file read exists in Galaxy 22.01 and Galaxy 22.05 due to the switch to Gunicorn, which can be used to read any file accessible to the operating system user under which Galaxy is running. This vulnerability affects Galaxy 22.01 and higher, after the switch to gunicorn, which serve static contents directly. Additionally, the vulnerability is mitigated when using Nginx or Apache to serve /static/* contents, instead of Galaxy's internal middleware. This issue has been patched in commit `e5e6bda4f` and will be included in future releases. Users are advised to manually patch their installations. There are no known workarounds for this vulnerability.
Overview
- CVE ID
- CVE-2022-23470
- Assigner
- security-advisories@github.com
- Vulnerability Status
- Analyzed
- Published Version
- 2022-12-06T18:15:10
- Last Modified Date
- 2022-12-08T18:00:26
Weakness Enumerations
CPE Configuration (Product)
CPE | Vulnerable | Operator | Version Start | Version End |
---|---|---|---|---|
cpe:2.3:a:galaxyproject:galaxy:*:*:*:*:*:*:*:* | 1 | OR | 22.01 | 22.05 |
Sources
Source Name | Source URL |
---|---|
NIST | https://nvd.nist.gov/vuln/detail/CVE-2022-23470 |
MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23470 |
History
Created | Old Value | New Value | Data Type | Notes |
---|---|---|---|---|
2022-12-07 18:06:50 | Added to TrackCVE | |||
2022-12-08 13:14:00 | 2022-12-06T18:15:10.090 | 2022-12-06T18:15:10 | CVE Published Date | updated |
2022-12-08 13:14:00 | 2022-12-06T19:23:25 | CVE Modified Date | updated | |
2022-12-08 13:14:00 | Awaiting Analysis | Undergoing Analysis | Vulnerability Status | updated |
2022-12-08 18:19:35 | 2022-12-08T18:00:26 | CVE Modified Date | updated | |
2022-12-08 18:19:35 | Undergoing Analysis | Analyzed | Vulnerability Status | updated |
2022-12-08 18:19:35 | CWE-22 | Weakness Enumeration | new | |
2022-12-08 18:19:36 | CPE Information | updated |