{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-0406", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2024-01-10T18:18:28.288Z", "datePublished": "2024-04-06T16:11:02.643Z", "dateUpdated": "2025-04-26T03:33:36.672Z"}, "containers": {"cna": {"title": "Mholt/archiver: path traversal vulnerability", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was discovered in the mholt/archiver package. This flaw allows an attacker to create a specially crafted tar file, which, when unpacked, may allow access to restricted files or directories. This issue can allow the creation or overwriting of files with the user's or application's privileges using the library."}], "affected": [{"versions": [{"status": "affected", "version": "v3.0.0", "lessThan": "*", "versionType": "custom"}, {"status": "unaffected", "version": "v4.0.0", "lessThan": "*", "versionType": "custom"}], "packageName": "archiver", "collectionURL": "https://github.com/mholt/archiver", "defaultStatus": "unaffected"}, {"vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4.18", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "openshift4/oc-mirror-plugin-rhel9", "defaultStatus": "affected", "versions": [{"version": "v4.18.0-202503051333.p0.g22b273d.assembly.stream.el9", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:openshift:4.18::el9"]}, {"vendor": "Red Hat", "product": "Red Hat Advanced Cluster Security 3", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "advanced-cluster-security/rhacs-main-rhel8", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:advanced_cluster_security:3"]}, {"vendor": "Red Hat", "product": "Red Hat Advanced Cluster Security 3", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "advanced-cluster-security/rhacs-roxctl-rhel8", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:advanced_cluster_security:3"]}, {"vendor": "Red Hat", "product": "Red Hat Advanced Cluster Security 3", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "advanced-cluster-security/rhacs-scanner-rhel8", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:advanced_cluster_security:3"]}, {"vendor": "Red Hat", "product": "Red Hat Advanced Cluster Security 4", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "advanced-cluster-security/rhacs-main-rhel8", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:advanced_cluster_security:4"]}, {"vendor": "Red Hat", "product": "Red Hat Advanced Cluster Security 4", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "advanced-cluster-security/rhacs-roxctl-rhel8", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:advanced_cluster_security:4"]}, {"vendor": "Red Hat", "product": "Red Hat Advanced Cluster Security 4", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "advanced-cluster-security/rhacs-scanner-rhel8", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:advanced_cluster_security:4"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2025:2449", "name": "RHSA-2025:2449", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2024-0406", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2257749", "name": "RHBZ#2257749", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2024-01-31T00:00:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "timeline": [{"lang": "en", "time": "2024-01-10T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-01-31T00:00:00+00:00", "value": "Made public."}], "credits": [{"lang": "en", "value": "This issue was discovered by Stefan Cornelius (Red Hat)."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2025-04-26T03:33:36.672Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-0406", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-09T19:56:01.225454Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T17:22:38.198Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:04:49.645Z"}, "title": "CVE Program Container", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2024-0406", "tags": ["vdb-entry", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2257749", "name": "RHBZ#2257749", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2024-0406", "tags": ["vdb-entry", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2257749", "name": "RHBZ#2257749", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:04:49.645Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-0406", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-09T19:56:01.225454Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T15:20:43.368Z"}}], "cna": {"title": "Mholt/archiver: path traversal vulnerability", "credits": [{"lang": "en", "value": "This issue was discovered by Stefan Cornelius (Red Hat)."}], "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"versions": [{"status": "affected", "version": "v3.0.0", "lessThan": "*", "versionType": "custom"}, {"status": "unaffected", "version": "v4.0.0", "lessThan": "*", "versionType": "custom"}], "packageName": "archiver", "collectionURL": "https://github.com/mholt/archiver", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:openshift:4.18::el9"], "vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4.18", "versions": [{"status": "unaffected", "version": "v4.18.0-202503051333.p0.g22b273d.assembly.stream.el9", "lessThan": "*", "versionType": "rpm"}], "packageName": "openshift4/oc-mirror-plugin-rhel9", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:advanced_cluster_security:3"], "vendor": "Red Hat", "product": "Red Hat Advanced Cluster Security 3", "packageName": "advanced-cluster-security/rhacs-main-rhel8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:advanced_cluster_security:3"], "vendor": "Red Hat", "product": "Red Hat Advanced Cluster Security 3", "packageName": "advanced-cluster-security/rhacs-roxctl-rhel8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:advanced_cluster_security:3"], "vendor": "Red Hat", "product": "Red Hat Advanced Cluster Security 3", "packageName": "advanced-cluster-security/rhacs-scanner-rhel8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:advanced_cluster_security:4"], "vendor": "Red Hat", "product": "Red Hat Advanced Cluster Security 4", "packageName": "advanced-cluster-security/rhacs-main-rhel8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:advanced_cluster_security:4"], "vendor": "Red Hat", "product": "Red Hat Advanced Cluster Security 4", "packageName": "advanced-cluster-security/rhacs-roxctl-rhel8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:advanced_cluster_security:4"], "vendor": "Red Hat", "product": "Red Hat Advanced Cluster Security 4", "packageName": "advanced-cluster-security/rhacs-scanner-rhel8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2024-01-10T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-01-31T00:00:00+00:00", "value": "Made public."}], "datePublic": "2024-01-31T00:00:00.000Z", "references": [{"url": "https://access.redhat.com/errata/RHSA-2025:2449", "name": "RHSA-2025:2449", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2024-0406", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2257749", "name": "RHBZ#2257749", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "descriptions": [{"lang": "en", "value": "A flaw was discovered in the mholt/archiver package. This flaw allows an attacker to create a specially crafted tar file, which, when unpacked, may allow access to restricted files or directories. This issue can allow the creation or overwriting of files with the user's or application's privileges using the library."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2025-04-26T03:33:36.672Z"}, "x_redhatCweChain": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}}, "cveMetadata": {"cveId": "CVE-2024-0406", "state": "PUBLISHED", "dateUpdated": "2025-04-26T03:33:36.672Z", "dateReserved": "2024-01-10T18:18:28.288Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2024-04-06T16:11:02.643Z", "assignerShortName": "redhat"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mholt:archiver:*:*:*:*:*:*:*:*", "matchCriteriaId": "A9611164-4F5F-4D75-8E6B-40C77B622481", "versionEndExcluding": "4.0.0", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:advanced_cluster_security:3.0:*:*:*:*:*:*:*", "matchCriteriaId": "F0FD736A-8730-446A-BA3A-7B608DB62B0E", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openshift_container_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "9865460D-A462-4F64-BD67-434E59AF36AF", "versionEndExcluding": "4.18.4", "versionStartIncluding": "4.18", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was discovered in the mholt/archiver package. This flaw allows an attacker to create a specially crafted tar file, which, when unpacked, may allow access to restricted files or directories. This issue can allow the creation or overwriting of files with the user's or application's privileges using the library."}, {"lang": "es", "value": "Se descubri\u00f3 una falla en el paquete mholt/archiver. Esta falla permite a un atacante crear un archivo tar especialmente manipulado que, cuando se descomprime, puede permitir el acceso a archivos o directorios restringidos. Este problema puede permitir la creaci\u00f3n o sobrescritura de archivos con los privilegios del usuario o de la aplicaci\u00f3n usando la librer\u00eda."}], "id": "CVE-2024-0406", "lastModified": "2025-04-25T15:02:44.233", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 4.2, "source": "secalert@redhat.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-04-06T17:15:07.127", "references": [{"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2025:2449"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2024-0406"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2257749"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2024-0406"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2257749"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"acknowledgement": "This issue was discovered by Stefan Cornelius (Red Hat).", "affected_release": [{"advisory": "RHSA-2025:2449", "cpe": "cpe:/a:redhat:openshift:4.18::el9", "package": "openshift4/oc-mirror-plugin-rhel9:v4.18.0-202503051333.p0.g22b273d.assembly.stream.el9", "product_name": "Red Hat OpenShift Container Platform 4.18", "release_date": "2025-03-11T00:00:00Z"}], "bugzilla": {"description": "mholt/archiver: path traversal vulnerability", "id": "2257749", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2257749"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.1", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N", "status": "verified"}, "cwe": "CWE-22", "details": ["A flaw was discovered in the mholt/archiver package. This flaw allows an attacker to create a specially crafted tar file, which, when unpacked, may allow access to restricted files or directories. This issue can allow the creation or overwriting of files with the user's or application's privileges using the library.", "A flaw was discovered in the mholt/archiver package. This flaw allows an attacker to create a specially crafted tar file, which, when unpacked, may allow access to restricted files or directories. This issue can allow the creation or overwriting of files with the user's or application's privileges using the library."], "name": "CVE-2024-0406", "package_state": [{"cpe": "cpe:/a:redhat:advanced_cluster_security:3", "fix_state": "Will not fix", "package_name": "advanced-cluster-security/rhacs-main-rhel8", "product_name": "Red Hat Advanced Cluster Security 3"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:3", "fix_state": "Will not fix", "package_name": "advanced-cluster-security/rhacs-roxctl-rhel8", "product_name": "Red Hat Advanced Cluster Security 3"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:3", "fix_state": "Will not fix", "package_name": "advanced-cluster-security/rhacs-scanner-rhel8", "product_name": "Red Hat Advanced Cluster Security 3"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Not affected", "package_name": "advanced-cluster-security/rhacs-main-rhel8", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Not affected", "package_name": "advanced-cluster-security/rhacs-roxctl-rhel8", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Not affected", "package_name": "advanced-cluster-security/rhacs-scanner-rhel8", "product_name": "Red Hat Advanced Cluster Security 4"}], "public_date": "2024-01-31T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-0406\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-0406"], "threat_severity": "Moderate"}