Show plain JSON{"affected_release": [{"advisory": "RHSA-2025:3932", "cpe": "cpe:/a:redhat:openshift_devspaces:3::el9", "package": "devspaces/pluginregistry-rhel9:3.20-6", "product_name": "Red Hat OpenShift Dev Spaces 3 Containers", "release_date": "2025-04-16T00:00:00Z"}, {"advisory": "RHSA-2025:8244", "cpe": "cpe:/a:redhat:openshift_devspaces:3::el9", "package": "devspaces/code-rhel9:3.21-5", "product_name": "Red Hat OpenShift Dev Spaces 3 Containers", "release_date": "2025-05-28T00:00:00Z"}, {"advisory": "RHSA-2025:8244", "cpe": "cpe:/a:redhat:openshift_devspaces:3::el9", "package": "devspaces/configbump-rhel9:3.21-5", "product_name": "Red Hat OpenShift Dev Spaces 3 Containers", "release_date": "2025-05-28T00:00:00Z"}, {"advisory": "RHSA-2025:8244", "cpe": "cpe:/a:redhat:openshift_devspaces:3::el9", "package": "devspaces/dashboard-rhel9:3.21-12", "product_name": "Red Hat OpenShift Dev Spaces 3 Containers", "release_date": "2025-05-28T00:00:00Z"}, {"advisory": "RHSA-2025:8244", "cpe": "cpe:/a:redhat:openshift_devspaces:3::el9", "package": "devspaces/devspaces-operator-bundle:3.21-25", "product_name": "Red Hat OpenShift Dev Spaces 3 Containers", "release_date": "2025-05-28T00:00:00Z"}, {"advisory": "RHSA-2025:8244", "cpe": "cpe:/a:redhat:openshift_devspaces:3::el9", "package": "devspaces/devspaces-rhel9-operator:3.21-6", "product_name": "Red Hat OpenShift Dev Spaces 3 Containers", "release_date": "2025-05-28T00:00:00Z"}, {"advisory": "RHSA-2025:8244", "cpe": "cpe:/a:redhat:openshift_devspaces:3::el9", "package": "devspaces/imagepuller-rhel9:3.21-2", "product_name": "Red Hat OpenShift Dev Spaces 3 Containers", "release_date": "2025-05-28T00:00:00Z"}, {"advisory": "RHSA-2025:8244", "cpe": "cpe:/a:redhat:openshift_devspaces:3::el9", "package": "devspaces/machineexec-rhel9:3.21-4", "product_name": "Red Hat OpenShift Dev Spaces 3 Containers", "release_date": "2025-05-28T00:00:00Z"}, {"advisory": "RHSA-2025:8244", "cpe": "cpe:/a:redhat:openshift_devspaces:3::el9", "package": "devspaces/pluginregistry-rhel9:3.21-7", "product_name": "Red Hat OpenShift Dev Spaces 3 Containers", "release_date": "2025-05-28T00:00:00Z"}, {"advisory": "RHSA-2025:8244", "cpe": "cpe:/a:redhat:openshift_devspaces:3::el9", "package": "devspaces/server-rhel9:3.21-11", "product_name": "Red Hat OpenShift Dev Spaces 3 Containers", "release_date": "2025-05-28T00:00:00Z"}, {"advisory": "RHSA-2025:8244", "cpe": "cpe:/a:redhat:openshift_devspaces:3::el9", "package": "devspaces-tech-preview/idea-rhel9:3.21-1", "product_name": "Red Hat OpenShift Dev Spaces 3 Containers", "release_date": "2025-05-28T00:00:00Z"}, {"advisory": "RHSA-2025:8244", "cpe": "cpe:/a:redhat:openshift_devspaces:3::el9", "package": "devspaces-tech-preview/jetbrains-ide-rhel9:3.21-3", "product_name": "Red Hat OpenShift Dev Spaces 3 Containers", "release_date": "2025-05-28T00:00:00Z"}, {"advisory": "RHSA-2025:8244", "cpe": "cpe:/a:redhat:openshift_devspaces:3::el9", "package": "devspaces/traefik-rhel9:3.21-1", "product_name": "Red Hat OpenShift Dev Spaces 3 Containers", "release_date": "2025-05-28T00:00:00Z"}, {"advisory": "RHSA-2025:8244", "cpe": "cpe:/a:redhat:openshift_devspaces:3::el9", "package": "devspaces/udi-base-rhel9:3.21-2", "product_name": "Red Hat OpenShift Dev Spaces 3 Containers", "release_date": "2025-05-28T00:00:00Z"}, {"advisory": "RHSA-2025:8244", "cpe": "cpe:/a:redhat:openshift_devspaces:3::el9", "package": "devspaces/udi-rhel9:3.21-6", "product_name": "Red Hat OpenShift Dev Spaces 3 Containers", "release_date": "2025-05-28T00:00:00Z"}, {"advisory": "RHSA-2025:7626", "cpe": "cpe:/a:redhat:rhdh:1.6::el9", "package": "registry.redhat.io/rhdh/rhdh-hub-rhel9:sha256:b6bf7ded5e146f60141840bb2e42e72125c61af0f3d3c3fbf48b35bc670675fe", "product_name": "Red Hat Developer Hub 1.6", "release_date": "2025-05-14T00:00:00Z"}, {"advisory": "RHSA-2025:8540", "cpe": "cpe:/a:redhat:rhdh:1.5::el9", "package": "registry.redhat.io/rhdh/rhdh-hub-rhel9:sha256:e76a91d43f5fb482b19a42bf2cfc30e183b1331f6db600855600b5a917c889b3", "product_name": "RHDH 1.5", "release_date": "2025-06-04T00:00:00Z"}], "bugzilla": {"description": "tar-fs: link following and path traversal via maliciously crafted tar file", "id": "2355460", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2355460"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "status": "verified"}, "cwe": "(CWE-22|CWE-59)", "details": ["An Improper Link Resolution Before File Access (\"Link Following\") and Improper Limitation of a Pathname to a Restricted Directory (\"Path Traversal\"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package.\nThis issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.8.", "A flaw was found in the tar-fs package for Node.js. In affected versions, unauthorized file writes or overwrites outside the intended extraction directory can occur when extracting a maliciously crafted tar file. The issue is associated with index.js in the tar-fs package."], "name": "CVE-2024-12905", "package_state": [{"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Affected", "package_name": "openshift-logging/kibana6-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Affected", "package_name": "openshift-serverless-1/kn-backstage-plugins-eventmesh-rhel8", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Out of support scope", "package_name": "tar-fs", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "org.keycloak-keycloak-parent", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "org.keycloak-keycloak-parent", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "odh-dashboard-container", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "odh-operator-container", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-ml-pipelines-api-server-v2-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-ml-pipelines-driver-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-ml-pipelines-launcher-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-ml-pipelines-persistenceagent-v2-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-ml-pipelines-scheduledworkflow-v2-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Not affected", "package_name": "devspaces/code-rhel8", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Affected", "package_name": "devspaces/pluginregistry-rhel8", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:trusted_artifact_signer:1", "fix_state": "Affected", "package_name": "rhtas/rekor-search-ui-rhel9", "product_name": "Red Hat Trusted Artifact Signer"}], "public_date": "2025-03-27T16:25:34Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-12905\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-12905\nhttps://github.com/mafintosh/tar-fs/commit/a1dd7e7c7f4b4a8bd2ab60f513baca573b44e2ed"], "statement": "This vulnerability is rated as an important severity because it allows attackers to extract a malicious tar file that can write or overwrite files outside the intended directory. This occurs due to improper handling of link resolution and pathname limitations. The risk is high for systems that automatically extract tar files, as it can lead to data corruption or unauthorized file modifications without user interaction.", "threat_severity": "Important"}