AIKIDO-2024-10516
luigi is vulnerable to Incorrect Permission Assignment
77
High Risk
This Affects:
luigiTL;DR
Affected versions of this package set overly permissive file permissions in luigi/lock.py, setting the file permissions of the pid_dir directory to 0o777 in the acquire_for function. On POSIX systems, file permissions should be strictly limited to prevent unauthorized access by other users. However, these permissive settings allow others to access the file's contents, creating a potential security risk. This issue could also be exploited to write or execute malicious code, potentially leading to privilege escalation.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
luigi is vulnerable to Incorrect Permission Assignment in versions 1.0.17 - 3.5.1.
How to fix this
Upgrade the luigi library to the patch version.
Links
GitHub Release
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant