Miggo Logo
Miggo Vulnerability Database
CVE-2024-1485

CVE-2024-1485: registry-support: decompress can delete files outside scope via relative paths

8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-1485
GHSA ID
GHSA-84xv-jfrm-h4gm
EPSS Score
0.81242%
CWE
CWE-23
Published
2/14/2024
Updated
11/18/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/devfile/registry-support/registry-librarygo< 0.0.0-202402060.0.0-20240206

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper path sanitization in the decompress function. The original code used filepath.Clean on user-controlled header.Name values, which doesn't prevent directory traversal when combined with path.Join. The commit fixes this by introducing CleanFilepath which prepends a '/' to the child path before cleaning, ensuring paths remain contained within the target directory. The removed '#nosec G304' comment and added test cases confirm the vulnerability was in this path construction logic.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility w*s *oun* in t** ***ompr*ssion *un*tion o* r**istry-support. T*is issu* **n ** tri***r** *y *n un*ut**nti**t** r*mot* *tt**k*r w**n tri*kin* * us*r into op*nin* * sp**i*lly mo*i*i** .t*r *r**iv*, l***in* to t** *l**nup pro**ss *ollowi

Reasoning

T** vuln*r**ility st*ms *rom improp*r p*t* s*nitiz*tion in t** ***ompr*ss *un*tion. T** ori*in*l *o** us** *il*p*t*.*l**n on us*r-*ontroll** *****r.N*m* v*lu*s, w*i** *o*sn't pr*v*nt *ir**tory tr*v*rs*l w**n *om*in** wit* p*t*.Join. T** *ommit *ix*s