Impact
Apache Airflow’s Google provider operators GCSToSFTPOperator and GCSTimeSpanFileTransformOperator concatenate GCS object names from a bucket listing directly to a destination path without normalising '..' segments or validating containment. An attacker who can write objects to the source GCS bucket—and who can trigger an Airflow DAG run that uses the affected operators—could upload a file whose name contains directory‑traversal sequences and cause the operator to write the downloaded content outside the intended directory. The resulting overwrite can replace files on an SFTP server or the Airflow worker host, compromising file integrity and potentially exposing confidential data or facilitating further compromise. The weakness is classified as CWE‑22.
Affected Systems
The Apache Airflow Google provider is affected in all releases prior to version 22.2.1 of the apache‑airflow‑providers‑google package. Deployments that ingest data from GCS buckets that are writable by less‑trusted principals, such as partner uploads or public‑data buckets, are impacted.
Risk and Exploitability
The CVSS score of 8.1 indicates this vulnerability is High. The EPSS score of <1% indicates a low but non‑zero likelihood of exploitation, and the issue is not listed in the CISA KEV catalog. The attack requires two conditions: write access to the source GCS bucket and the ability to trigger a DAG run that executes the affected operators. If insecure bucket write policies exist, an attacker can exploit path traversal to overwrite arbitrary files on the SFTP server or worker host. Although public exploits are not reported, the impact of a successful attack is significant due to the potential for host compromise.
OpenCVE Enrichment