High severity8.0OSV Advisory· Published Feb 14, 2024· Updated Jun 17, 2026
CVE-2024-1485
CVE-2024-1485
Description
A flaw was found in the decompression function of registry-support. This issue can be triggered if an unauthenticated remote attacker tricks a user into parsing a devfile which uses the parent or plugin keywords. This could download a malicious archive and cause the cleanup process to overwrite or delete files outside of the archive, which should not be allowed.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/devfile/registry-support/registry-libraryGo | < 0.0.0-20240206 | 0.0.0-20240206 |
Affected products
21- Range: v1.0.0, v1.0.1
- osv-coords20 versionspkg:apk/chainguard/gitlab-rails-ce-18.1pkg:apk/chainguard/gitlab-rails-ce-18.10pkg:apk/chainguard/gitlab-rails-ce-18.11pkg:apk/chainguard/gitlab-rails-ce-18.5pkg:apk/chainguard/gitlab-rails-ce-18.6pkg:apk/chainguard/gitlab-rails-ce-18.7pkg:apk/chainguard/gitlab-rails-ce-18.8pkg:apk/chainguard/gitlab-rails-ce-18.9pkg:apk/chainguard/gitlab-rails-ce-19.0pkg:apk/chainguard/gitlab-rails-ce-fips-18.1pkg:apk/chainguard/gitlab-rails-ce-fips-18.10pkg:apk/chainguard/gitlab-rails-ce-fips-18.11pkg:apk/chainguard/gitlab-rails-ce-fips-18.5pkg:apk/chainguard/gitlab-rails-ce-fips-18.6pkg:apk/chainguard/gitlab-rails-ce-fips-18.7pkg:apk/chainguard/gitlab-rails-ce-fips-18.8pkg:apk/chainguard/gitlab-rails-ce-fips-18.9pkg:apk/chainguard/gitlab-rails-ce-fips-19.0pkg:apk/chainguard/gitlab-rails-ce-fips-19.1pkg:golang/github.com/devfile/registry-support/registry-library
< 18.1.6-r13+ 19 more
- (no CPE)range: < 18.1.6-r13
- (no CPE)range: < 18.10.8-r2
- (no CPE)range: < 18.11.5-r1
- (no CPE)range: < 18.5.7-r1
- (no CPE)range: < 18.6.8-r2
- (no CPE)range: < 18.7.7-r2
- (no CPE)range: < 18.8.11-r1
- (no CPE)range: < 18.9.8-r3
- (no CPE)range: < 19.0.3-r3
- (no CPE)range: < 18.1.6-r16
- (no CPE)range: < 18.10.8-r3
- (no CPE)range: < 18.11.5-r1
- (no CPE)range: < 18.5.7-r1
- (no CPE)range: < 18.6.8-r2
- (no CPE)range: < 18.7.7-r2
- (no CPE)range: < 18.8.11-r1
- (no CPE)range: < 18.9.8-r1
- (no CPE)range: < 19.0.3-r2
- (no CPE)range: < 19.1.1-r2
- (no CPE)range: < 0.0.0-20240206
Patches
Vulnerability mechanics
References
6- github.com/devfile/registry-support/commit/0e44b9ca6d03fac4fc3f77d37656d56dc5defe0dnvdPatchWEB
- github.com/devfile/registry-support/pull/197nvdPatchWEB
- access.redhat.com/security/cve/CVE-2024-1485nvdThird Party AdvisoryWEB
- bugzilla.redhat.com/show_bug.cginvdIssue TrackingThird Party AdvisoryWEB
- github.com/advisories/GHSA-84xv-jfrm-h4gmnvdThird Party AdvisoryADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-1485ghsaADVISORY
News mentions
0No linked articles in our index yet.