Skip to content

Possible Data Tampering & Loss of Public Datasets

Moderate
mvdbeek published GHSA-5639-cmph-9j4v Sep 20, 2024

Package

No package listed

Affected versions

likely all

Patched versions

>= 21.05

Description

Impact

An attacker can potentially replace the contents of public datasets resulting in data loss or tampering.

All supported versions of Galaxy are affected (i.e. 23.1, 23.2, 24.0, and 24.1). Unsupported versions are likely affected since prior to Galaxy moving to GitHub.

Patches

All supported branches of Galaxy (and more back to release_21.05) were amended with the below patch.

The same patch should work for all supported versions of Galaxy and out of support Galaxy versions back to Galaxy release 22.05. The patch can be found at: https://depot.galaxyproject.org/patch/GX-2024-0001/235f1d8b400708556732b9dda788c919ebf3bb80.patch.

The out of support Galaxy release 22.01 can be patched with https://depot.galaxyproject.org/patch/GX-2024-0001/15060a6cb222f2fcfc687d0f0260f1eb1b9c757b.patch and the 2 releases prior to that (namely 21.05 and 21.09) can be patched with https://depot.galaxyproject.org/patch/GX-2024-0001/022da344a02bafd604402ac8e253e0014f6e2e08.patch.

To apply the patch, navigate to the root of your Galaxy directory, then execute:

wget -O - "https://depot.galaxyproject.org/patch/GX-2024-0001/235f1d8b400708556732b9dda788c919ebf3bb80.patch" | patch -p1

or:

curl "https://depot.galaxyproject.org/patch/GX-2024-0001/235f1d8b400708556732b9dda788c919ebf3bb80.patch" | patch -p1

You can test application of the patch before applying it by adding the --dry-run flag to patch.

For the changes to take effect, you must restart all Galaxy server processes.

It is furthermore recommended to upgrade to the latest commit on the release_24.1 branch and apply the latest database migration. We recommend stopping all Galaxy processes and following https://docs.galaxyproject.org/en/master/admin/db_migration.html. The migration ensures that already affected datasets are protected from deletion.

Workarounds

You must apply the supplied patch or update to the release_21.05 branch or newer. There are no supported workarounds.

References

This vulnerability has been discovered and responsibly disclosed by @davelopez. The Galaxy Project is grateful for the help.

Severity

Moderate

CVE ID

CVE-2024-42351

Weaknesses

No CWEs