CVE-2024-1485

Name of the Vulnerable Software and Affected Versions registry-support versions prior to v0.0.0-20240206

Description A flaw was found in the decompression function of registry-support. This issue can be triggered if an unauthenticated remote attacker tricks a user into parsing a devfile which uses the parent or plugin keywords, or opening a specially modified .tar archive. This could lead to the cleanup process following relative paths to overwrite or delete files outside the intended scope.

Recommendations For versions prior to v0.0.0-20240206, update to version v0.0.0-20240206 or later to resolve the issue. As a temporary workaround, consider restricting the use of the decompression function in registry-support to minimize the risk of exploitation. Avoid using the parent or plugin keywords in devfiles until the issue is resolved. Restrict access to specially modified .tar archives to prevent the cleanup process from overwriting or deleting files outside the intended scope.