VYPR

PackagePersister

by Cloudfoundry

CVEs (1)

  • CVE-2026-41011HigJun 4, 2026
    BOSH
    BOSH
    risk 0.53cvss 8.2epss

    PackagePersister.validate_tgz builds "tar -tf #{tgz} 2>&1" where tgz = File.join(release_dir, 'packages', "#{name}.tgz") and name = package_meta['name'] comes directly from release.MF inside the uploaded tarball. The string is passed to Bosh::Common::Exec.sh, which executes via…