Nixpkgs security tracker

Untriaged

Permalink CVE-2024-4981

7.6 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): LOW
Availability impact (A): LOW

updated 11 months ago by @mweinelt Activity log

Created automatic suggestion 11 months ago
@mweinelt dismissed 11 months ago
@mweinelt marked as untriaged 11 months ago

Pagure: _update_file_in_git() follows symbolic links in temporary clones

A vulnerability was discovered in Pagure server. If a malicious user were to submit a git repository with symbolic links, the server could unintentionally show incorporate and make visible content from outside the git repo.

References

https://access.redhat.com/security/cve/CVE-2024-4981 vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2278745
RHBZ#2280723 x_refsource_REDHATissue-tracking
https://pagure.io/pagure/c/454f2677bc50d7176f07da9784882eb2176537f4

Affected products

pagure

<5.14.1

Matching in nixpkgs

pkgs.haskellPackages.pagure

Pagure REST client library

nixos-unstable 0.1.2

pkgs.haskellPackages.pagure-cli

Pagure client

nixos-unstable 0.2.1
- nixpkgs-unstable 0.2.1
- nixos-unstable-small 0.2.1

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.haskellPackages.pagure

pkgs.haskellPackages.pagure-cli