CVE-2005-2541
CVE Details
Visit the official vulnerability details page for CVE-2005-2541 to learn more.
Initial Publication
10/25/2024
Last Update
12/16/2024
Third Party Dependency
tar
NIST CVE Summary
Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges.
CVE Severity
Our Official Summary
Palette & Vertex Impact Summary
This vulnerability is reported on some 3rd party images used by our products. The vulnerability exploitation scenario requires specific conditions to be met: the tar extraction must be performed by the root user, and the tarball itself must be crafted maliciously with setuid or setgid bits. These 3rd party images do not run as root, so the probability of exploitation is low. We will upgrade the image once the upstream fix becomes available.
Palette airgap & Vertex airgap Summary
This vulnerability is reported on some 3rd party images used by our products. The vulnerability exploitation scenario requires specific conditions to be met: the tar extraction must be performed by the root user, and the tarball itself must be crafted maliciously with setuid or setgid bits. These 3rd party images do not run as root, so the probability of exploitation is low. A new fixed version of the image is available by upgrading to 4.4.18.
Status
Ongoing
Affected Products & Versions
| Version | Palette Enterprise | Palette Enterprise Airgap | VerteX | VerteX Airgap |
|---|---|---|---|---|
| 4.5.15 | ✅ No Impact | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted |
| 4.5.11 | ✅ No Impact | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted |
| 4.5.10 | ✅ No Impact | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted |
| 4.5.8 | ✅ No Impact | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted |
| 4.5.5 | ✅ No Impact | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted |
| 4.5.4 | ✅ No Impact | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted |
| 4.4.20 | ✅ No Impact | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted |
Revision History
| Date | Revision |
|---|---|
| 12/16/2024 | Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11, 4.5.15 |
| 12/06/2024 | Advisory severity revised to HIGH from MEDIUM |
| 12/05/2024 | Advisory severity revised to MEDIUM from HIGH |
| 11/15/2024 | Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11 |
| 11/15/2024 | Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10 |
| 11/13/2024 | Impacted versions changed from 4.5.4, 4.5.5, 4.5.8 to 4.5.4, 4.5.5, 4.5.8, 4.4.20 |
| 11/10/2024 | Impacted versions changed from 4.5.4, 4.5.5 to 4.5.4, 4.5.5, 4.5.8 |
| 10/27/2024 | Impacted versions changed from 4.5.4 to 4.5.4, 4.5.5 |