CVE-2005-2541
CVE Details
Last Update
11/7/24
NIST CVE Summary
Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges.
Our Official Summary
Palette & Vertex Impact Summary
This vulnerability is reported on some 3rd party images used by our products. The vulnerability exploitation scenario requires specific conditions to be met: the tar extraction must be performed by the root user, and the tarball itself must be crafted maliciously with setuid or setgid bits. These 3rd party images do not run as root, so the probability of exploitation is low. We will upgrade the image once the upstream fix becomes available.
Palette airgap & Vertex airgap Summary
This vulnerability is reported on some 3rd party images used by our products. The vulnerability exploitation scenario requires specific conditions to be met: the tar extraction must be performed by the root user, and the tarball itself must be crafted maliciously with setuid or setgid bits. These 3rd party images do not run as root, so the probability of exploitation is low. A new fixed version of the image is available by upgrading to 4.4.18.
CVE Severity
Status
Ongoing
Affected Products & Versions
- Palette VerteX airgap 4.4.14
- Palette VerteX 4.5.3, 4.5.8
- Palette Enterprise 4.5.3, 4.5.8
Revision History
- 1.0 08/16/2024 Initial Publication
- 2.0 08/17/2024 Added Palette VerteX airgap 4.4.14 to Affected Products
- 3.0 09/25/2024 CVE remediated in Palette VerteX airgap 4.4.18
- 4.0 10/14/2024 Added Palette Enterprise & Palette VerteX 4.5.3 to Affected Products
- 5.0 11/7/2024 Added Palette Enterprise & Palette VerteX 4.5.8 to Affected Products