Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
2 vulnerabilities by treasure-data
CVE-2024-25125 (GCVE-0-2024-25125)
Vulnerability from cvelistv5 – Published: 2024-02-14 01:12 – Updated: 2024-08-14 18:51
VLAI
Title
Absolute path traversal vulnerability in digdag server
Summary
Digdag is an open source tool that to build, run, schedule, and monitor complex pipelines of tasks across various platforms. Treasure Data's digdag workload automation system is susceptible to a path traversal vulnerability if it's configured to store log files locally. This issue may lead to information disclosure and has been addressed in release version 0.10.5.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/treasure-data/digdag/security/… | x_refsource_CONFIRM |
| https://github.com/treasure-data/digdag/commit/ea… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| treasure-data | digdag |
Affected:
< 0.10.5.1
|
|
| digdag | digdag |
Affected:
0 , < 0.10.5.1
(custom)
cpe:2.3:a:digdag:digdag:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:36:21.665Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/treasure-data/digdag/security/advisories/GHSA-5mp4-32rr-v3x5",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/treasure-data/digdag/security/advisories/GHSA-5mp4-32rr-v3x5"
},
{
"name": "https://github.com/treasure-data/digdag/commit/eae89b0daf6c62f12309d8c7194454dfb18cc5c3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/treasure-data/digdag/commit/eae89b0daf6c62f12309d8c7194454dfb18cc5c3"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:digdag:digdag:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "digdag",
"vendor": "digdag",
"versions": [
{
"lessThan": "0.10.5.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-25125",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-14T18:20:11.079760Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-14T18:51:43.903Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "digdag",
"vendor": "treasure-data",
"versions": [
{
"status": "affected",
"version": "\u003c 0.10.5.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Digdag is an open source tool that to build, run, schedule, and monitor complex pipelines of tasks across various platforms. Treasure Data\u0027s digdag workload automation system is susceptible to a path traversal vulnerability if it\u0027s configured to store log files locally. This issue may lead to information disclosure and has been addressed in release version 0.10.5.1. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-14T01:12:05.181Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/treasure-data/digdag/security/advisories/GHSA-5mp4-32rr-v3x5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/treasure-data/digdag/security/advisories/GHSA-5mp4-32rr-v3x5"
},
{
"name": "https://github.com/treasure-data/digdag/commit/eae89b0daf6c62f12309d8c7194454dfb18cc5c3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/treasure-data/digdag/commit/eae89b0daf6c62f12309d8c7194454dfb18cc5c3"
}
],
"source": {
"advisory": "GHSA-5mp4-32rr-v3x5",
"discovery": "UNKNOWN"
},
"title": "Absolute path traversal vulnerability in digdag server"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-25125",
"datePublished": "2024-02-14T01:12:05.181Z",
"dateReserved": "2024-02-05T14:14:46.380Z",
"dateUpdated": "2024-08-14T18:51:43.903Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-25125 (GCVE-0-2024-25125)
Vulnerability from nvd – Published: 2024-02-14 01:12 – Updated: 2024-08-14 18:51
VLAI
Title
Absolute path traversal vulnerability in digdag server
Summary
Digdag is an open source tool that to build, run, schedule, and monitor complex pipelines of tasks across various platforms. Treasure Data's digdag workload automation system is susceptible to a path traversal vulnerability if it's configured to store log files locally. This issue may lead to information disclosure and has been addressed in release version 0.10.5.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/treasure-data/digdag/security/… | x_refsource_CONFIRM |
| https://github.com/treasure-data/digdag/commit/ea… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| treasure-data | digdag |
Affected:
< 0.10.5.1
|
|
| digdag | digdag |
Affected:
0 , < 0.10.5.1
(custom)
cpe:2.3:a:digdag:digdag:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:36:21.665Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/treasure-data/digdag/security/advisories/GHSA-5mp4-32rr-v3x5",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/treasure-data/digdag/security/advisories/GHSA-5mp4-32rr-v3x5"
},
{
"name": "https://github.com/treasure-data/digdag/commit/eae89b0daf6c62f12309d8c7194454dfb18cc5c3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/treasure-data/digdag/commit/eae89b0daf6c62f12309d8c7194454dfb18cc5c3"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:digdag:digdag:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "digdag",
"vendor": "digdag",
"versions": [
{
"lessThan": "0.10.5.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-25125",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-14T18:20:11.079760Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-14T18:51:43.903Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "digdag",
"vendor": "treasure-data",
"versions": [
{
"status": "affected",
"version": "\u003c 0.10.5.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Digdag is an open source tool that to build, run, schedule, and monitor complex pipelines of tasks across various platforms. Treasure Data\u0027s digdag workload automation system is susceptible to a path traversal vulnerability if it\u0027s configured to store log files locally. This issue may lead to information disclosure and has been addressed in release version 0.10.5.1. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-14T01:12:05.181Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/treasure-data/digdag/security/advisories/GHSA-5mp4-32rr-v3x5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/treasure-data/digdag/security/advisories/GHSA-5mp4-32rr-v3x5"
},
{
"name": "https://github.com/treasure-data/digdag/commit/eae89b0daf6c62f12309d8c7194454dfb18cc5c3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/treasure-data/digdag/commit/eae89b0daf6c62f12309d8c7194454dfb18cc5c3"
}
],
"source": {
"advisory": "GHSA-5mp4-32rr-v3x5",
"discovery": "UNKNOWN"
},
"title": "Absolute path traversal vulnerability in digdag server"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-25125",
"datePublished": "2024-02-14T01:12:05.181Z",
"dateReserved": "2024-02-05T14:14:46.380Z",
"dateUpdated": "2024-08-14T18:51:43.903Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}