Bug 2280723 (CVE-2024-4981)
Summary: | CVE-2024-4981 pagure: _update_file_in_git() follows symbolic links in temporary clones | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Nick Tait <ntait> |
Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | dominik, ngompa13, pingou, security-response-team |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | --- | |
Doc Text: |
A vulnerability was discovered in Pagure server. If a malicious user were to submit a git repository with symbolic links, the server could unintentionally show incorporate and make visible content from outside the git repo.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2024-06-07 18:00:48 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2280724, 2280725 | ||
Bug Blocks: |
Description
Nick Tait
2024-05-15 22:51:04 UTC
Created pagure tracking bugs for this issue: Affects: epel-all [bug 2280724] Affects: fedora-all [bug 2280725] reported via https://bugzilla.redhat.com/show_bug.cgi?id=2278745 @ntait the vulnerability is fixed in pagure, new fedora packages are released as well. All related bugs are resolved, do you want to close this one too? Closing. |