CVE-2024-0406: Mholt/archiver: path traversal vulnerability
First published: Wed Jan 10 2024(Updated: )
A flaw was discovered in the mholt/archiver package. This flaw allows an attacker to create a specially crafted tar file, which, when unpacked, may allow access to restricted files or directories. This issue can allow the creation or overwriting of files with the user's or application's privileges using the library.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/mholt | <4 | 4 |
| go/github.com/mholt/archiver | >=3.0.0<=3.5.1 | |
| go/github.com/mholt/archiver/v3 | >=3.0.0<=3.5.1 | |
| Mholt Archiver | >=3.0.0<4.0.0 | |
| Red Hat Advanced Cluster Security | =3.0 | |
| Red Hat OpenShift Container Platform | >=4.18<4.18.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/mholt/archiver/
- https://access.redhat.com/errata/RHSA-2025:2449
- https://bugzilla.redhat.com/show_bug.cgi?id=2257749
- https://access.redhat.com/security/cve/CVE-2024-0406
- https://nvd.nist.gov/vuln/detail/CVE-2024-0406
- https://github.com/advisories/GHSA-rhh4-rh7c-7r5v (Advisory)
- https://pkg.go.dev/vuln/GO-2024-2698
Frequently Asked Questions
What is the severity of CVE-2024-0406?
CVE-2024-0406 is considered a high severity vulnerability due to its potential to allow unauthorized access to restricted files.
How do I fix CVE-2024-0406?
To remediate CVE-2024-0406, upgrade the mholt/archiver package to version 4 or later or ensure you are using an unaffected version of the package.
Which versions of mholt/archiver are affected by CVE-2024-0406?
CVE-2024-0406 affects mholt/archiver versions from 3.0.0 to 3.5.1 inclusive, as well as mholt package version prior to 4.
What kind of attacks can CVE-2024-0406 facilitate?
CVE-2024-0406 can facilitate attacks that involve the crafting of malicious tar files to gain unauthorized access to systems and files.
Is CVE-2024-0406 related to any specific platforms or environments?
CVE-2024-0406 impacts users of the mholt/archiver package across various environments, including those using Go.
- agent/title
- agent/type
- agent/description
- agent/first-publish-date
- agent/author
- agent/weakness
- agent/trending
- agent/source
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2024-0406
- agent/software-canonical-lookup
- agent/references
- collector/nvd-cve
- source/NVD
- agent/event
- collector/github-advisory
- source/GitHub
- alias/GHSA-rhh4-rh7c-7r5v
- agent/severity
- collector/nvd-api
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/github-advisory-latest
- package-manager/redhat
- package-manager/go
- vendor/mholt
- canonical/mholt archiver
- version/mholt archiver/3.0.0
- vendor/redhat
- canonical/red hat advanced cluster security
- version/red hat advanced cluster security/3.0
- canonical/red hat openshift container platform
- version/red hat openshift container platform/4.18