Skip to main content
Version: latest

CVE-2024-1485

CVE Details

Visit the official vulnerability details page for CVE-2024-1485 to learn more.

Initial Publication

10/25/2024

Last Update

12/16/2024

Third Party Dependency

github.com/devfile/registry-support/registry-library

NIST CVE Summary

A flaw was found in the decompression function of registry-support. This issue can be triggered if an unauthenticated remote attacker tricks a user into parsing a devfile which uses the `parent` or `plugin` keywords. This could download a malicious archive and cause the cleanup process to overwrite or delete files outside of the archive, which should not be allowed.

CVE Severity

9.3

Our Official Summary

This vulnerability can be exploited by an unauthenticated remote attacker who tricks a user into parsing a devfile with parent or plugin keywords. This malicious interaction could result in the download of a harmful archive, leading the cleanup process to overwrite or delete files outside the intended archive scope. There is no evidence that a public proof-of-concept exists. We are waiting on an upstream fix from the 3rd party vendors and will upgrade the images once the upstream fix becomes available.

Status

Ongoing

Affected Products & Versions

VersionPalette EnterprisePalette Enterprise AirgapVerteXVerteX Airgap
4.5.15✅ No Impact⚠️ Impacted⚠️ Impacted⚠️ Impacted
4.5.10✅ No Impact⚠️ Impacted⚠️ Impacted⚠️ Impacted
4.5.8✅ No Impact⚠️ Impacted⚠️ Impacted⚠️ Impacted
4.5.5✅ No Impact⚠️ Impacted⚠️ Impacted⚠️ Impacted
4.5.4✅ No Impact⚠️ Impacted⚠️ Impacted⚠️ Impacted
4.4.20✅ No Impact⚠️ Impacted⚠️ Impacted⚠️ Impacted

Revision History

DateRevision
12/16/2024Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.15
11/15/2024Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10
11/13/2024Impacted versions changed from 4.5.4, 4.5.5, 4.5.8 to 4.5.4, 4.5.5, 4.5.8, 4.4.20
11/10/2024Impacted versions changed from 4.5.4, 4.5.5 to 4.5.4, 4.5.5, 4.5.8
10/27/2024Impacted versions changed from 4.5.4 to 4.5.4, 4.5.5