{
  "threat_severity" : "Moderate",
  "public_date" : "2024-01-31T00:00:00Z",
  "bugzilla" : {
    "description" : "mholt/archiver: path traversal vulnerability",
    "id" : "2257749",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2257749"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-22",
  "details" : [ "A flaw was discovered in the mholt/archiver package. This flaw allows an attacker to create a specially crafted tar file, which, when unpacked, may allow access to restricted files or directories. This issue can allow the creation or overwriting of files with the user's or application's privileges using the library.", "A flaw was discovered in the mholt/archiver package. This flaw allows an attacker to create a specially crafted tar file, which, when unpacked, may allow access to restricted files or directories. This issue can allow the creation or overwriting of files with the user's or application's privileges using the library." ],
  "statement" : "This is a path traversal vulnerability in v3 of mhol/archiver and has been marked as moderate for a variety of reasons.\nFirst and foremost the attacker in order to exploit this vulnerability would require local files system/code execution level access, this cannot be exploited on a network level, secondly, the successful exploitation of this vulnerability only result in overwriting of files, not denial of service due to resource exhaustion and no code execution, keeping all these things in mind redhat has assigned this as moderate impact.",
  "acknowledgement" : "This issue was discovered by Stefan Cornelius (Red Hat).",
  "affected_release" : [ {
    "product_name" : "Red Hat OpenShift Container Platform 4.18",
    "release_date" : "2025-03-11T00:00:00Z",
    "advisory" : "RHSA-2025:2449",
    "cpe" : "cpe:/a:redhat:openshift:4.18::el9",
    "package" : "openshift4/oc-mirror-plugin-rhel9:v4.18.0-202503051333.p0.g22b273d.assembly.stream.el9"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Advanced Cluster Security 3",
    "fix_state" : "Will not fix",
    "package_name" : "advanced-cluster-security/rhacs-main-rhel8",
    "cpe" : "cpe:/a:redhat:advanced_cluster_security:3"
  }, {
    "product_name" : "Red Hat Advanced Cluster Security 3",
    "fix_state" : "Will not fix",
    "package_name" : "advanced-cluster-security/rhacs-roxctl-rhel8",
    "cpe" : "cpe:/a:redhat:advanced_cluster_security:3"
  }, {
    "product_name" : "Red Hat Advanced Cluster Security 3",
    "fix_state" : "Will not fix",
    "package_name" : "advanced-cluster-security/rhacs-scanner-rhel8",
    "cpe" : "cpe:/a:redhat:advanced_cluster_security:3"
  }, {
    "product_name" : "Red Hat Advanced Cluster Security 4",
    "fix_state" : "Not affected",
    "package_name" : "advanced-cluster-security/rhacs-main-rhel8",
    "cpe" : "cpe:/a:redhat:advanced_cluster_security:4"
  }, {
    "product_name" : "Red Hat Advanced Cluster Security 4",
    "fix_state" : "Not affected",
    "package_name" : "advanced-cluster-security/rhacs-roxctl-rhel8",
    "cpe" : "cpe:/a:redhat:advanced_cluster_security:4"
  }, {
    "product_name" : "Red Hat Advanced Cluster Security 4",
    "fix_state" : "Not affected",
    "package_name" : "advanced-cluster-security/rhacs-scanner-rhel8",
    "cpe" : "cpe:/a:redhat:advanced_cluster_security:4"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-0406\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-0406" ],
  "name" : "CVE-2024-0406",
  "csaw" : false
}