Description
Kestra is an open-source, event-driven orchestration platform. Prior to versions 1.3.19, 1.2.19, 1.1.19, and 1.0.43, Kestra task `inputFiles` writes rendered file names directly under the task working directory. When a flow forwards untrusted execution or webhook data into an `inputFiles` file name, a caller can use `../` path segments to create or overwrite files outside that task working directory on the worker filesystem. Versions 1.3.19, 1.2.19, 1.1.19, and 1.0.43 patch the issue.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
Low
Affected products
- kestra-io / kestra< 1.0.43 – < 1.0.43
- kestra-io / kestra>= 1.1.0, < 1.1.19 – >= 1.1.0, < 1.1.19
- kestra-io / kestra>= 1.2.0, < 1.2.19 – >= 1.2.0, < 1.2.19
- kestra-io / kestra>= 1.3.0, < 1.3.19 – >= 1.3.0, < 1.3.19