rhsa-2025:8540
Vulnerability from csaf_redhat
Published
2025-06-04 18:39
Modified
2025-08-20 22:49
Summary
Red Hat Security Advisory: Red Hat Developer Hub 1.5.2 release.
Notes
Topic
Red Hat Developer Hub 1.5.2 has been released.
Details
Red Hat Developer Hub (RHDH) is Red Hat's enterprise-grade, self-managed, customizable developer portal based on Backstage.io. RHDH is supported on OpenShift and other major Kubernetes clusters (AKS, EKS, GKE). The core features of RHDH include a single pane of glass, a centralized software catalog, self-service via golden path templates, and Tech Docs. RHDH is extensible by plugins.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat Developer Hub 1.5.2 has been released.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Developer Hub (RHDH) is Red Hat\u0027s enterprise-grade, self-managed, customizable developer portal based on Backstage.io. RHDH is supported on OpenShift and other major Kubernetes clusters (AKS, EKS, GKE). The core features of RHDH include a single pane of glass, a centralized software catalog, self-service via golden path templates, and Tech Docs. RHDH is extensible by plugins.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:8540",
"url": "https://access.redhat.com/errata/RHSA-2025:8540"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2024-12905",
"url": "https://access.redhat.com/security/cve/CVE-2024-12905"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://catalog.redhat.com/search?gs\u0026searchType=containers\u0026q=rhdh",
"url": "https://catalog.redhat.com/search?gs\u0026searchType=containers\u0026q=rhdh"
},
{
"category": "external",
"summary": "https://developers.redhat.com/rhdh/overview",
"url": "https://developers.redhat.com/rhdh/overview"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/red_hat_developer_hub",
"url": "https://docs.redhat.com/en/documentation/red_hat_developer_hub"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_8540.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Developer Hub 1.5.2 release.",
"tracking": {
"current_release_date": "2025-08-20T22:49:38+00:00",
"generator": {
"date": "2025-08-20T22:49:38+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.6"
}
},
"id": "RHSA-2025:8540",
"initial_release_date": "2025-06-04T18:39:35+00:00",
"revision_history": [
{
"date": "2025-06-04T18:39:35+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-06-04T18:39:38+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-08-20T22:49:38+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Developer Hub 1.5",
"product": {
"name": "Red Hat Developer Hub 1.5",
"product_id": "Red Hat Developer Hub 1.5",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhdh:1.5::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat Developer Hub"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:e76a91d43f5fb482b19a42bf2cfc30e183b1331f6db600855600b5a917c889b3_amd64",
"product": {
"name": "registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:e76a91d43f5fb482b19a42bf2cfc30e183b1331f6db600855600b5a917c889b3_amd64",
"product_id": "registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:e76a91d43f5fb482b19a42bf2cfc30e183b1331f6db600855600b5a917c889b3_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhdh-hub-rhel9@sha256%3Ae76a91d43f5fb482b19a42bf2cfc30e183b1331f6db600855600b5a917c889b3?arch=amd64\u0026repository_url=registry.redhat.io/rhdh\u0026tag=1.5.2-1748495853"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:6aeb54054d5bd7a122ab1742b2fcfc47e1227e1d7614907ac84cd202aaecfaa5_amd64",
"product": {
"name": "registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:6aeb54054d5bd7a122ab1742b2fcfc47e1227e1d7614907ac84cd202aaecfaa5_amd64",
"product_id": "registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:6aeb54054d5bd7a122ab1742b2fcfc47e1227e1d7614907ac84cd202aaecfaa5_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhdh-rhel9-operator@sha256%3A6aeb54054d5bd7a122ab1742b2fcfc47e1227e1d7614907ac84cd202aaecfaa5?arch=amd64\u0026repository_url=registry.redhat.io/rhdh\u0026tag=1.5.2-1748493879"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:13e82b4fccc423d0d68550b084cd37a394fdcdb7313b99e142c1570ccff07d91_amd64",
"product": {
"name": "registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:13e82b4fccc423d0d68550b084cd37a394fdcdb7313b99e142c1570ccff07d91_amd64",
"product_id": "registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:13e82b4fccc423d0d68550b084cd37a394fdcdb7313b99e142c1570ccff07d91_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhdh-operator-bundle@sha256%3A13e82b4fccc423d0d68550b084cd37a394fdcdb7313b99e142c1570ccff07d91?arch=amd64\u0026repository_url=registry.redhat.io/rhdh\u0026tag=1.5.2-1748873060"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:e76a91d43f5fb482b19a42bf2cfc30e183b1331f6db600855600b5a917c889b3_amd64 as a component of Red Hat Developer Hub 1.5",
"product_id": "Red Hat Developer Hub 1.5:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:e76a91d43f5fb482b19a42bf2cfc30e183b1331f6db600855600b5a917c889b3_amd64"
},
"product_reference": "registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:e76a91d43f5fb482b19a42bf2cfc30e183b1331f6db600855600b5a917c889b3_amd64",
"relates_to_product_reference": "Red Hat Developer Hub 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:13e82b4fccc423d0d68550b084cd37a394fdcdb7313b99e142c1570ccff07d91_amd64 as a component of Red Hat Developer Hub 1.5",
"product_id": "Red Hat Developer Hub 1.5:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:13e82b4fccc423d0d68550b084cd37a394fdcdb7313b99e142c1570ccff07d91_amd64"
},
"product_reference": "registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:13e82b4fccc423d0d68550b084cd37a394fdcdb7313b99e142c1570ccff07d91_amd64",
"relates_to_product_reference": "Red Hat Developer Hub 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:6aeb54054d5bd7a122ab1742b2fcfc47e1227e1d7614907ac84cd202aaecfaa5_amd64 as a component of Red Hat Developer Hub 1.5",
"product_id": "Red Hat Developer Hub 1.5:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:6aeb54054d5bd7a122ab1742b2fcfc47e1227e1d7614907ac84cd202aaecfaa5_amd64"
},
"product_reference": "registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:6aeb54054d5bd7a122ab1742b2fcfc47e1227e1d7614907ac84cd202aaecfaa5_amd64",
"relates_to_product_reference": "Red Hat Developer Hub 1.5"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-12905",
"cwe": {
"id": "CWE-59",
"name": "Improper Link Resolution Before File Access (\u0027Link Following\u0027)"
},
"discovery_date": "2025-03-27T17:02:14.911888+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.5:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:13e82b4fccc423d0d68550b084cd37a394fdcdb7313b99e142c1570ccff07d91_amd64",
"Red Hat Developer Hub 1.5:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:6aeb54054d5bd7a122ab1742b2fcfc47e1227e1d7614907ac84cd202aaecfaa5_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2355460"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the tar-fs package for Node.js. In affected versions, unauthorized file writes or overwrites outside the intended extraction directory can occur when extracting a maliciously crafted tar file. The issue is associated with index.js in the tar-fs package.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "tar-fs: link following and path traversal via maliciously crafted tar file",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated as an important severity because it allows attackers to extract a malicious tar file that can write or overwrite files outside the intended directory. This occurs due to improper handling of link resolution and pathname limitations. The risk is high for systems that automatically extract tar files, as it can lead to data corruption or unauthorized file modifications without user interaction.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.5:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:e76a91d43f5fb482b19a42bf2cfc30e183b1331f6db600855600b5a917c889b3_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.5:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:13e82b4fccc423d0d68550b084cd37a394fdcdb7313b99e142c1570ccff07d91_amd64",
"Red Hat Developer Hub 1.5:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:6aeb54054d5bd7a122ab1742b2fcfc47e1227e1d7614907ac84cd202aaecfaa5_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-12905"
},
{
"category": "external",
"summary": "RHBZ#2355460",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2355460"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-12905",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-12905"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-12905",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12905"
},
{
"category": "external",
"summary": "https://github.com/mafintosh/tar-fs/commit/a1dd7e7c7f4b4a8bd2ab60f513baca573b44e2ed",
"url": "https://github.com/mafintosh/tar-fs/commit/a1dd7e7c7f4b4a8bd2ab60f513baca573b44e2ed"
}
],
"release_date": "2025-03-27T16:25:34.410000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-06-04T18:39:35+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.5:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:e76a91d43f5fb482b19a42bf2cfc30e183b1331f6db600855600b5a917c889b3_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:8540"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.5:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:e76a91d43f5fb482b19a42bf2cfc30e183b1331f6db600855600b5a917c889b3_amd64",
"Red Hat Developer Hub 1.5:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:13e82b4fccc423d0d68550b084cd37a394fdcdb7313b99e142c1570ccff07d91_amd64",
"Red Hat Developer Hub 1.5:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:6aeb54054d5bd7a122ab1742b2fcfc47e1227e1d7614907ac84cd202aaecfaa5_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "tar-fs: link following and path traversal via maliciously crafted tar file"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…