A flaw was found in the decompression function of registry-support. This issue can be triggered if an unauthenticated remote attacker tricks a user into parsing a devfile which uses the `parent` or `plugin` keywords. This could download a malicious archive and cause the cleanup process to overwrite or delete files outside of the archive, which should not be allowed.
Fixes

Solution

No solution given by the vendor.


Workaround

Limit or block the parsing of devfiles from untrusted sources.

History

Mon, 21 Oct 2024 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Devfile
Devfile registry-support
Redhat openshift Developer Tools And Services
Weaknesses CWE-22
CPEs cpe:2.3:a:devfile:registry-support:*:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift:4.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_developer_tools_and_services:-:*:*:*:*:*:*:*
Vendors & Products Devfile
Devfile registry-support
Redhat openshift Developer Tools And Services

Fri, 27 Sep 2024 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2025-08-27T12:19:16.110Z

Reserved: 2024-02-13T21:47:23.979Z

Link: CVE-2024-1485

cve-icon Vulnrichment

Updated: 2024-08-01T18:40:21.236Z

cve-icon NVD

Status : Modified

Published: 2024-02-14T00:15:46.783

Modified: 2024-11-21T08:50:41.090

Link: CVE-2024-1485

cve-icon Redhat

Severity : Important

Publid Date: 2024-02-05T00:00:00Z

Links: CVE-2024-1485 - Bugzilla

cve-icon OpenCVE Enrichment

No data.