Описание
A flaw was found in the decompression function of registry-support. This issue can be triggered if an unauthenticated remote attacker tricks a user into parsing a devfile which uses the parent or plugin keywords. This could download a malicious archive and cause the cleanup process to overwrite or delete files outside of the archive, which should not be allowed.
Отчет
Red Hat Openshift has a "Low" rated impact due to the affected code being shipped, but unused.
Меры по смягчению последствий
Limit or block the parsing of devfiles from untrusted sources.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenShift Developer Tools and Services | odo | Will not fix | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ose-console | Fix deferred |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
8 High
CVSS3
Связанные уязвимости
A flaw was found in the decompression function of registry-support. This issue can be triggered if an unauthenticated remote attacker tricks a user into parsing a devfile which uses the `parent` or `plugin` keywords. This could download a malicious archive and cause the cleanup process to overwrite or delete files outside of the archive, which should not be allowed.
registry-support: decompress can delete files outside scope via relative paths
8 High
CVSS3