CVE-2024-1485 HIGH

CVE-2024-1485: Registry-support: decompress can delete files outside scope via relative paths

Vendor Red Hat
Product OpenShift Developer Tools and Services
Weakness CWE-22 · Path traversal
Published February 13, 2024
Last update March 24, 2026

CVSS base score

8.0/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:H

What the vulnerability does

01Description

A flaw was found in the decompression function of registry-support. This issue can be triggered if an unauthenticated remote attacker tricks a user into parsing a devfile which uses the `parent` or `plugin` keywords. This could download a malicious archive and cause the cleanup process to overwrite or delete files outside of the archive, which should not be allowed.

Key dates

02Disclosure timeline

February 13, 2024 CVE published
March 24, 2026 Record updated