CRITICAL 9.1
PYSEC-2026-218
상세
A path traversal in the SFTP provider (`SFTPHook.retrieve_directory` / `SFTPOperator(operation=get)`) let a malicious or compromised remote SFTP server write files outside the configured local destination directory via crafted directory-entry names. No Airflow account is required — the attack surface is any deployment downloading directories from an untrusted SFTP server. Upgrade `apache-airflow-providers-sftp` to 5.8.1 or later.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
PyPI / apache-airflow-providers-sftp
최초 영향 버전:
0 수정 버전: 5.8.1 수정
pip install --upgrade 'apache-airflow-providers-sftp>=5.8.1'