MidnightBSD

Advisories for devfile

CVE-2024-1485

A flaw was found in the decompression function of registry-support. This issue can be triggered if an unauthenticated remote attacker tricks a user into parsing a devfile which uses the `parent` or `plugin` keywords. This could download a malicious archive and cause the cleanup process to overwrite or delete files outside of the archive, which should not be allowed.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert@redhat.com 6.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H 1.6 5.2

Products Affected

Vendor Product Version
devfile registry-support *
redhat openshift 4.0
redhat openshift_developer_tools_and_services -