CVE-2024-25125: 
Java vulnerability analysis and mitigation

Treasure Data's digdag workload automation system version 0.10.5 and earlier is susceptible to a path traversal vulnerability when configured to store log files locally. The vulnerability was discovered on February 13, 2024, and was assigned CVE-2024-25125. The issue affects the digdag workload automation system, which is an open-source tool used to build, run, schedule, and monitor complex pipelines of tasks across various platforms (GitHub Advisory, NVD).

The vulnerability stems from improper path validation in the LocalFileLogServerFactory class when handling the filename parameter from the API method getFile. When digdag is configured to store log files locally using the --task-log command line argument, an attacker can provide an absolute path in URL-encoded form (such as %2fetc%2fpasswd) to bypass typical servlet filters. The resolve(Path other) and resolve(String other) methods of java.nio.file.Path ignore the original path if 'other' is an absolute Path. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (Security Lab).

The vulnerability can lead to information disclosure by allowing unauthorized access to files outside the intended directory structure. An attacker could potentially read sensitive files from the system when the digdag server is configured to store log files locally (Security Lab).

The vulnerability has been patched in version 0.10.5.1. Users are strongly advised to upgrade to this version. There are no known workarounds for this vulnerability (GitHub Advisory).