{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-0406", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2024-01-10T18:18:28.288Z", "datePublished": "2024-04-06T16:11:02.643Z", "dateUpdated": "2024-08-20T16:27:24.235Z"}, "containers": {"cna": {"title": "Mholt/archiver: path traversal vulnerability", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was discovered in the mholt/archiver package. This flaw allows an attacker to create a specially crafted tar file, which, when unpacked, may allow access to restricted files or directories. This issue can allow the creation or overwriting of files with the user's or application's privileges using the library."}], "affected": [{"versions": [{"status": "affected", "version": "v3.0.0", "lessThan": "*", "versionType": "custom"}, {"status": "unaffected", "version": "v4.0.0", "lessThan": "*", "versionType": "custom"}], "packageName": "archiver", "collectionURL": "https://github.com/mholt/archiver", "defaultStatus": "unaffected"}, {"vendor": "Red Hat", "product": "Red Hat Advanced Cluster Security 3", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "advanced-cluster-security/rhacs-main-rhel8", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:advanced_cluster_security:3"]}, {"vendor": "Red Hat", "product": "Red Hat Advanced Cluster Security 3", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "advanced-cluster-security/rhacs-roxctl-rhel8", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:advanced_cluster_security:3"]}, {"vendor": "Red Hat", "product": "Red Hat Advanced Cluster Security 3", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "advanced-cluster-security/rhacs-scanner-rhel8", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:advanced_cluster_security:3"]}, {"vendor": "Red Hat", "product": "Red Hat Advanced Cluster Security 4", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "advanced-cluster-security/rhacs-main-rhel8", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:advanced_cluster_security:4"]}, {"vendor": "Red Hat", "product": "Red Hat Advanced Cluster Security 4", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "advanced-cluster-security/rhacs-roxctl-rhel8", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:advanced_cluster_security:4"]}, {"vendor": "Red Hat", "product": "Red Hat Advanced Cluster Security 4", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "advanced-cluster-security/rhacs-scanner-rhel8", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:advanced_cluster_security:4"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "openshift4/oc-mirror-plugin-rhel8", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:openshift:4"]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2024-0406", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2257749", "name": "RHBZ#2257749", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2024-01-31T00:00:00+00:00", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "timeline": [{"lang": "en", "time": "2024-01-10T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-01-31T00:00:00+00:00", "value": "Made public."}], "credits": [{"lang": "en", "value": "This issue was discovered by Stefan Cornelius (Red Hat)."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-08-20T16:27:24.235Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-0406", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-09T19:56:01.225454Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T17:22:38.198Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:04:49.645Z"}, "title": "CVE Program Container", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2024-0406", "tags": ["vdb-entry", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2257749", "name": "RHBZ#2257749", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2024-0406", "tags": ["vdb-entry", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2257749", "name": "RHBZ#2257749", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:04:49.645Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-0406", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-09T19:56:01.225454Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T15:20:43.368Z"}}], "cna": {"title": "Mholt/archiver: path traversal vulnerability", "credits": [{"lang": "en", "value": "This issue was discovered by Stefan Cornelius (Red Hat)."}], "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"versions": [{"status": "affected", "version": "v3.0.0", "lessThan": "*", "versionType": "custom"}, {"status": "unaffected", "version": "v4.0.0", "lessThan": "*", "versionType": "custom"}], "packageName": "archiver", "collectionURL": "https://github.com/mholt/archiver", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:advanced_cluster_security:3"], "vendor": "Red Hat", "product": "Red Hat Advanced Cluster Security 3", "packageName": "advanced-cluster-security/rhacs-main-rhel8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:advanced_cluster_security:3"], "vendor": "Red Hat", "product": "Red Hat Advanced Cluster Security 3", "packageName": "advanced-cluster-security/rhacs-roxctl-rhel8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:advanced_cluster_security:3"], "vendor": "Red Hat", "product": "Red Hat Advanced Cluster Security 3", "packageName": "advanced-cluster-security/rhacs-scanner-rhel8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:advanced_cluster_security:4"], "vendor": "Red Hat", "product": "Red Hat Advanced Cluster Security 4", "packageName": "advanced-cluster-security/rhacs-main-rhel8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:advanced_cluster_security:4"], "vendor": "Red Hat", "product": "Red Hat Advanced Cluster Security 4", "packageName": "advanced-cluster-security/rhacs-roxctl-rhel8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:advanced_cluster_security:4"], "vendor": "Red Hat", "product": "Red Hat Advanced Cluster Security 4", "packageName": "advanced-cluster-security/rhacs-scanner-rhel8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:openshift:4"], "vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4", "packageName": "openshift4/oc-mirror-plugin-rhel8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}], "timeline": [{"lang": "en", "time": "2024-01-10T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-01-31T00:00:00+00:00", "value": "Made public."}], "datePublic": "2024-01-31T00:00:00+00:00", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2024-0406", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2257749", "name": "RHBZ#2257749", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "descriptions": [{"lang": "en", "value": "A flaw was discovered in the mholt/archiver package. This flaw allows an attacker to create a specially crafted tar file, which, when unpacked, may allow access to restricted files or directories. This issue can allow the creation or overwriting of files with the user's or application's privileges using the library."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-08-19T13:41:12.843Z"}, "x_redhatCweChain": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}}, "cveMetadata": {"cveId": "CVE-2024-0406", "state": "PUBLISHED", "dateUpdated": "2024-08-19T13:41:12.843Z", "dateReserved": "2024-01-10T18:18:28.288Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2024-04-06T16:11:02.643Z", "assignerShortName": "redhat"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was discovered in the mholt/archiver package. This flaw allows an attacker to create a specially crafted tar file, which, when unpacked, may allow access to restricted files or directories. This issue can allow the creation or overwriting of files with the user's or application's privileges using the library."}, {"lang": "es", "value": "Se descubri\u00f3 una falla en el paquete mholt/archiver. Esta falla permite a un atacante crear un archivo tar especialmente manipulado que, cuando se descomprime, puede permitir el acceso a archivos o directorios restringidos. Este problema puede permitir la creaci\u00f3n o sobrescritura de archivos con los privilegios del usuario o de la aplicaci\u00f3n usando la librer\u00eda."}], "id": "CVE-2024-0406", "lastModified": "2024-04-08T18:48:40.217", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 4.2, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2024-04-06T17:15:07.127", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/security/cve/CVE-2024-0406"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2257749"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "secalert@redhat.com", "type": "Primary"}]}

{"acknowledgement": "This issue was discovered by Stefan Cornelius (Red Hat).", "bugzilla": {"description": "mholt/archiver: path traversal vulnerability", "id": "2257749", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2257749"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.1", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N", "status": "draft"}, "cwe": "CWE-22", "details": ["A flaw was discovered in the mholt/archiver package. This flaw allows an attacker to create a specially crafted tar file, which, when unpacked, may allow access to restricted files or directories. This issue can allow the creation or overwriting of files with the user's or application's privileges using the library.", "A flaw was discovered in the mholt/archiver package. This flaw allows an attacker to create a specially crafted tar file, which, when unpacked, may allow access to restricted files or directories. This issue can allow the creation or overwriting of files with the user's or application's privileges using the library."], "name": "CVE-2024-0406", "package_state": [{"cpe": "cpe:/a:redhat:advanced_cluster_security:3", "fix_state": "Will not fix", "package_name": "advanced-cluster-security/rhacs-main-rhel8", "product_name": "Red Hat Advanced Cluster Security 3"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:3", "fix_state": "Will not fix", "package_name": "advanced-cluster-security/rhacs-roxctl-rhel8", "product_name": "Red Hat Advanced Cluster Security 3"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:3", "fix_state": "Will not fix", "package_name": "advanced-cluster-security/rhacs-scanner-rhel8", "product_name": "Red Hat Advanced Cluster Security 3"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Not affected", "package_name": "advanced-cluster-security/rhacs-main-rhel8", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Not affected", "package_name": "advanced-cluster-security/rhacs-roxctl-rhel8", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Not affected", "package_name": "advanced-cluster-security/rhacs-scanner-rhel8", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/oc-mirror-plugin-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2024-01-31T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-0406\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-0406"], "threat_severity": "Moderate", "upstream_fix": "mholt 4"}