A flaw was found in the decompression function of registry-support. This issue can be triggered if an unauthenticated remote attacker tricks a user into parsing a devfile which uses the parent or plugin keywords. This could download a malicious archive and cause the cleanup process to overwrite or delete files outside of the archive, which should not be allowed.
{
"cna_assigner": "redhat",
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/1xxx/CVE-2024-1485.json",
"cwe_ids": [
"CWE-22"
],
"unresolved_ranges": [
{
"source": "AFFECTED_FIELD",
"extracted_events": [
{
"introduced": "1.16.2"
},
{
"last_affected": "1.16.2"
}
]
}
]
}