CVE-2024-0406 Mholt/archiver: path traversal vulnerability

2024-04-0616:11:02

CWE-22

redhat

github.com

mholt/archiver

path traversal

vulnerability

restricted files

privilege escalation

cve-2024-0406

tar file

CVSS3

6.1

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N

AI Score

Confidence

Low

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

A flaw was discovered in the mholt/archiver package. This flaw allows an attacker to create a specially crafted tar file, which, when unpacked, may allow access to restricted files or directories. This issue can allow the creation or overwriting of files with the user’s or application’s privileges using the library.

CNA Affected

[
  {
    "versions": [
      {
        "status": "affected",
        "version": "v3.0.0",
        "lessThan": "*",
        "versionType": "custom"
      },
      {
        "status": "unaffected",
        "version": "v4.0.0",
        "lessThan": "*",
        "versionType": "custom"
      }
    ],
    "packageName": "archiver",
    "collectionURL": "https://github.com/mholt/archiver",
    "defaultStatus": "unaffected"
  },
  {
    "cpes": [
      "cpe:/a:redhat:advanced_cluster_security:3"
    ],
    "vendor": "Red Hat",
    "product": "Red Hat Advanced Cluster Security 3",
    "packageName": "advanced-cluster-security/rhacs-main-rhel8",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "defaultStatus": "affected"
  },
  {
    "cpes": [
      "cpe:/a:redhat:advanced_cluster_security:3"
    ],
    "vendor": "Red Hat",
    "product": "Red Hat Advanced Cluster Security 3",
    "packageName": "advanced-cluster-security/rhacs-roxctl-rhel8",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "defaultStatus": "affected"
  },
  {
    "cpes": [
      "cpe:/a:redhat:advanced_cluster_security:3"
    ],
    "vendor": "Red Hat",
    "product": "Red Hat Advanced Cluster Security 3",
    "packageName": "advanced-cluster-security/rhacs-scanner-rhel8",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "defaultStatus": "affected"
  },
  {
    "cpes": [
      "cpe:/a:redhat:advanced_cluster_security:4"
    ],
    "vendor": "Red Hat",
    "product": "Red Hat Advanced Cluster Security 4",
    "packageName": "advanced-cluster-security/rhacs-main-rhel8",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "defaultStatus": "unaffected"
  },
  {
    "cpes": [
      "cpe:/a:redhat:advanced_cluster_security:4"
    ],
    "vendor": "Red Hat",
    "product": "Red Hat Advanced Cluster Security 4",
    "packageName": "advanced-cluster-security/rhacs-roxctl-rhel8",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "defaultStatus": "unaffected"
  },
  {
    "cpes": [
      "cpe:/a:redhat:advanced_cluster_security:4"
    ],
    "vendor": "Red Hat",
    "product": "Red Hat Advanced Cluster Security 4",
    "packageName": "advanced-cluster-security/rhacs-scanner-rhel8",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "defaultStatus": "unaffected"
  },
  {
    "cpes": [
      "cpe:/a:redhat:openshift:4"
    ],
    "vendor": "Red Hat",
    "product": "Red Hat OpenShift Container Platform 4",
    "packageName": "openshift4/oc-mirror-plugin-rhel8",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "defaultStatus": "affected"
  }
]