CVE-2024-25125
Published: 14 February 2024
Summary
CVE-2024-25125 is a medium-severity Path Traversal (CWE-22) vulnerability in Treasuredata Digdag. Its CVSS base score is 5.3 (Medium).
Operationally, ranked in the top 8.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Digdag, an open source workload automation system developed by Treasure Data for building, running, scheduling, and monitoring task pipelines, is affected by a path traversal vulnerability when configured to store log files locally. The flaw, tracked as CVE-2024-25125 and assigned CWE-22, permits unauthorized access to files outside intended directories and carries a CVSS 3.1 score of 5.3 reflecting network-accessible information disclosure without authentication.
An unauthenticated remote attacker can exploit the issue over the network to read sensitive log or configuration data stored on the local filesystem, potentially exposing credentials or operational details from Digdag deployments that have not restricted log storage to non-local backends.
The vulnerability was addressed in release 0.10.5.1 via a patch that sanitizes file paths during log handling, as detailed in the project's GitHub security advisory GHSA-5mp4-32rr-v3x5 and the associated commit. Administrators are advised to upgrade immediately, since no workarounds are available.
The EPSS score has remained flat at 0.0735 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-0522
Vulnerability details
Digdag is an open source tool that to build, run, schedule, and monitor complex pipelines of tasks across various platforms. Treasure Data's digdag workload automation system is susceptible to a path traversal vulnerability if it's configured to store log files…
more
locally. This issue may lead to information disclosure and has been addressed in release version 0.10.5.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.