{"schema_version": "1.6.1", "id": "CVE-2022-38170", "summary": "Overly permissive umask for daemons", "details": "In Apache Airflow prior to 2.3.4, an insecure umask was configured for numerous Airflow components when running with the  `--daemon` flag which could result in a race condition giving world-writable files in the Airflow home directory and allowing local users to expose arbitrary file contents via the webserver.", "affected": [{"ranges": [{"type": "SEMVER", "events": [{"introduced": "Apache Airflow"}, {"last_affected": "Apache Airflow"}]}]}], "references": [{"type": "ADVISORY", "url": "https://lists.apache.org/thread/zn8mbbb1j2od5nc9zhrvb7rpsrg1vvzv"}]}