CVE-2024-11944

Name of the Vulnerable Software and Affected Versions iXsystems TrueNAS CORE versions prior to 13.0-U6.3

Description The issue is related to the tarfile.extractall method, which lacks proper validation of a user-supplied path prior to using it in file operations. This allows network-adjacent attackers to execute arbitrary code on affected installations of iXsystems TrueNAS devices without requiring authentication. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of root.

Recommendations For versions prior to 13.0-U6.3, update to version 13.0-U6.3 to resolve the issue. As a temporary workaround, consider restricting access to the tarfile.extractall method until a patch is available. Avoid using the tarfile.extractall method in file operations until the issue is resolved.