{
  "threat_severity" : "Important",
  "public_date" : "2025-03-27T16:25:34Z",
  "bugzilla" : {
    "description" : "tar-fs: link following and path traversal via maliciously crafted tar file",
    "id" : "2355460",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2355460"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-59",
  "details" : [ "An Improper Link Resolution Before File Access (\"Link Following\") and Improper Limitation of a Pathname to a Restricted Directory (\"Path Traversal\"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package.\nThis issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.8.", "A flaw was found in the tar-fs package for Node.js. In affected versions, unauthorized file writes or overwrites outside the intended extraction directory can occur when extracting a maliciously crafted tar file. The issue is associated with index.js in the tar-fs package." ],
  "statement" : "This vulnerability is rated as an important severity because it allows attackers to extract a malicious tar file that can write or overwrite files outside the intended directory. This occurs due to improper handling of link resolution and pathname limitations. The risk is high for systems that automatically extract tar files, as it can lead to data corruption or unauthorized file modifications without user interaction.",
  "affected_release" : [ {
    "product_name" : "Red Hat OpenShift Dev Spaces 3 Containers",
    "release_date" : "2025-04-16T00:00:00Z",
    "advisory" : "RHSA-2025:3932",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3::el9",
    "package" : "devspaces/pluginregistry-rhel9:3.20-6"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces 3 Containers",
    "release_date" : "2025-05-28T00:00:00Z",
    "advisory" : "RHSA-2025:8244",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3::el9",
    "package" : "devspaces/code-rhel9:3.21-5"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces 3 Containers",
    "release_date" : "2025-05-28T00:00:00Z",
    "advisory" : "RHSA-2025:8244",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3::el9",
    "package" : "devspaces/configbump-rhel9:3.21-5"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces 3 Containers",
    "release_date" : "2025-05-28T00:00:00Z",
    "advisory" : "RHSA-2025:8244",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3::el9",
    "package" : "devspaces/dashboard-rhel9:3.21-12"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces 3 Containers",
    "release_date" : "2025-05-28T00:00:00Z",
    "advisory" : "RHSA-2025:8244",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3::el9",
    "package" : "devspaces/devspaces-operator-bundle:3.21-25"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces 3 Containers",
    "release_date" : "2025-05-28T00:00:00Z",
    "advisory" : "RHSA-2025:8244",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3::el9",
    "package" : "devspaces/devspaces-rhel9-operator:3.21-6"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces 3 Containers",
    "release_date" : "2025-05-28T00:00:00Z",
    "advisory" : "RHSA-2025:8244",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3::el9",
    "package" : "devspaces/imagepuller-rhel9:3.21-2"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces 3 Containers",
    "release_date" : "2025-05-28T00:00:00Z",
    "advisory" : "RHSA-2025:8244",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3::el9",
    "package" : "devspaces/machineexec-rhel9:3.21-4"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces 3 Containers",
    "release_date" : "2025-05-28T00:00:00Z",
    "advisory" : "RHSA-2025:8244",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3::el9",
    "package" : "devspaces/pluginregistry-rhel9:3.21-7"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces 3 Containers",
    "release_date" : "2025-05-28T00:00:00Z",
    "advisory" : "RHSA-2025:8244",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3::el9",
    "package" : "devspaces/server-rhel9:3.21-11"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces 3 Containers",
    "release_date" : "2025-05-28T00:00:00Z",
    "advisory" : "RHSA-2025:8244",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3::el9",
    "package" : "devspaces-tech-preview/idea-rhel9:3.21-1"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces 3 Containers",
    "release_date" : "2025-05-28T00:00:00Z",
    "advisory" : "RHSA-2025:8244",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3::el9",
    "package" : "devspaces-tech-preview/jetbrains-ide-rhel9:3.21-3"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces 3 Containers",
    "release_date" : "2025-05-28T00:00:00Z",
    "advisory" : "RHSA-2025:8244",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3::el9",
    "package" : "devspaces/traefik-rhel9:3.21-1"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces 3 Containers",
    "release_date" : "2025-05-28T00:00:00Z",
    "advisory" : "RHSA-2025:8244",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3::el9",
    "package" : "devspaces/udi-base-rhel9:3.21-2"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces 3 Containers",
    "release_date" : "2025-05-28T00:00:00Z",
    "advisory" : "RHSA-2025:8244",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3::el9",
    "package" : "devspaces/udi-rhel9:3.21-6"
  }, {
    "product_name" : "Red Hat Developer Hub 1.5",
    "release_date" : "2025-06-04T00:00:00Z",
    "advisory" : "RHSA-2025:8540",
    "cpe" : "cpe:/a:redhat:rhdh:1.5::el9",
    "package" : "rhdh/rhdh-hub-rhel9:sha256:e76a91d43f5fb482b19a42bf2cfc30e183b1331f6db600855600b5a917c889b3"
  }, {
    "product_name" : "Red Hat Developer Hub 1.6",
    "release_date" : "2025-05-14T00:00:00Z",
    "advisory" : "RHSA-2025:7626",
    "cpe" : "cpe:/a:redhat:rhdh:1.6::el9",
    "package" : "rhdh/rhdh-hub-rhel9:sha256:b6bf7ded5e146f60141840bb2e42e72125c61af0f3d3c3fbf48b35bc670675fe"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Ceph Storage 7",
    "fix_state" : "Affected",
    "package_name" : "ceph",
    "cpe" : "cpe:/a:redhat:ceph_storage:7"
  }, {
    "product_name" : "Red Hat Ceph Storage 8",
    "fix_state" : "Affected",
    "package_name" : "ceph",
    "cpe" : "cpe:/a:redhat:ceph_storage:8"
  }, {
    "product_name" : "Red Hat Ceph Storage 9",
    "fix_state" : "Affected",
    "package_name" : "ceph",
    "cpe" : "cpe:/a:redhat:ceph_storage:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-12905\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-12905\nhttps://github.com/mafintosh/tar-fs/commit/a1dd7e7c7f4b4a8bd2ab60f513baca573b44e2ed" ],
  "name" : "CVE-2024-12905",
  "csaw" : false
}