Directory Traversal Affecting govulncheck-vulndb package, versions <0.0.20250108T191942-150000.1.26.1
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-SLES156-GOVULNCHECKVULNDB-8620279
- published13 Jan 2025
- disclosed10 Jan 2025
Introduced: 10 Jan 2025
CVE-2024-56514 (opens in a new tab)How to fix?
Upgrade SLES:15.6 govulncheck-vulndb to version 0.0.20250108T191942-150000.1.26.1 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream govulncheck-vulndb package and not the govulncheck-vulndb package as distributed by SLES.
See How to fix? for SLES:15.6 relevant fixed versions and status.
Karmada is a Kubernetes management system that allows users to run cloud-native applications across multiple Kubernetes clusters and clouds. Prior to version 1.12.0, both in karmadactl and karmada-operator, it is possible to supply a filesystem path, or an HTTP(s) URL to retrieve the custom resource definitions(CRDs) needed by Karmada. The CRDs are downloaded as a gzipped tarfile and are vulnerable to a TarSlip vulnerability. An attacker able to supply a malicious CRD file into a Karmada initialization could write arbitrary files in arbitrary paths of the filesystem. From Karmada version 1.12.0, when processing custom CRDs files, CRDs archive verification is utilized to enhance file system robustness. A workaround is available. Someone who needs to set flag --crd to customize the CRD files required for Karmada initialization when using karmadactl init to set up Karmada can manually inspect the CRD files to check whether they contain sequences such as ../ that would alter file paths, to determine if they potentially include malicious files. When using karmada-operator to set up Karmada, one must upgrade one's karmada-operator to one of the fixed versions.
References
- https://www.suse.com/security/cve/CVE-2024-56514.html
- https://github.com/karmada-io/karmada/commit/40ec488b18a461ab0f871d2c9ec8665b361f0d50
- https://github.com/karmada-io/karmada/commit/f78e7e2a3d02bed04e9bc7abd3ae7b3ac56862d2
- https://github.com/karmada-io/karmada/pull/5703
- https://github.com/karmada-io/karmada/pull/5713
- https://github.com/karmada-io/karmada/security/advisories/GHSA-cwrh-575j-8vr3