| Bug ID | 1231186 |
|---|---|
| Summary | VUL-0: CVE-2024-47515: pagure: generate_archive() follows symbolic links in temporary clones |
| Classification | openSUSE |
| Product | openSUSE Distribution |
| Version | Leap 15.6 |
| Hardware | Other |
| URL | https://smash.suse.de/issue/422443/ |
| OS | Other |
| Status | NEW |
| Severity | Normal |
| Priority | P5 - None |
| Component | Security |
| Assignee | dominik@wombacher.cc |
| Reporter | smash_bz@suse.de |
| QA Contact | security-team@suse.de |
| CC | camila.matos@suse.com |
| Target Milestone | --- |
| Found By | Security Response Team |
| Blocker | --- |
Support of symbolic links during repository archiving of repositories allows the disclosure of local files. This results in the ability to craft valid administrator sessions and take over the Pagure instance. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-47515 https://bugzilla.redhat.com/show_bug.cgi?id=2315806