Bug 2355460 (CVE-2024-12905)
| Summary: | CVE-2024-12905 tar-fs: link following and path traversal via maliciously crafted tar file | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | abarbaro, ahrabovs, amctagga, aoconnor, asoldano, aucunnin, bbaranow, bmaxwell, bniver, brian.stansberry, caswilli, darran.lofthouse, dfreiber, dhanak, dkreling, dosoudil, drosa, drow, dsimansk, flucifre, gkamathe, gmalinko, gmeno, istudens, ivassile, iweiss, janstey, jburrell, jcantril, jchui, jforrest, jhe, jkoehler, kaycoth, kingland, ktsao, kverlaen, lball, lphiri, matzew, mbenjamin, mhackett, mnovotny, mosmerov, msochure, mstoklus, msvehla, nboldt, ngough, nwallace, pdelbell, periklis, pesilva, pierdipi, pjindal, pmackay, psrna, rhuss, rojacob, rstancel, rstepani, sausingh, sdawley, smaestri, sostapov, tom.jenkinson, vereddy, veshanka, vkumar |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in the tar-fs package for Node.js. In affected versions, unauthorized file writes or overwrites outside the intended extraction directory can occur when extracting a maliciously crafted tar file. The issue is associated with index.js in the tar-fs package.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2355666, 2355665, 2355667, 2355668, 2355669, 2389975, 2389976, 2393380 | ||
| Bug Blocks: | |||
This issue has been addressed in the following products: Red Hat OpenShift Dev Spaces 3 Containers Via RHSA-2025:3932 https://access.redhat.com/errata/RHSA-2025:3932 This issue has been addressed in the following products: Red Hat OpenShift Dev Spaces 3 Containers Via RHSA-2025:8244 https://access.redhat.com/errata/RHSA-2025:8244 |
An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package. This issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.8.