VDB
RHSA-2024%3A2817
RHSA-2024%3A2817
PUBLISHED
CVSS 7.400000095367432 HIGH
A flaw was found in the webpack-dev-middleware package, where it failed to validate the supplied URL address sufficiently before returning local files. This flaw allows an attacker to craft URLs to return arbitrary local files from the developer's machine. The lack of normalization before calling the middleware also allows the attacker to perform path traversal attacks on the target environment.
Risk Scores
CVSS 3.1
7.400000095367432
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Red Hat | openshift-gitops-1/dex-rhel8@sha256:416353d665f078404aeb21c19099f342157e01eab321e50ff052565e036f9b0e_amd64 as a component of Red Hat OpenShift GitOps 1.10 | openshift-gitops-1/dex-rhel8@sha256:416353d665f078404aeb21c19099f342157e01eab321e50ff052565e036f9b0e_amd64 |
| Red Hat | openshift-gitops-1/kam-delivery-rhel8@sha256:c01d39107b2d2449f86ce893c97e790ea6acfa37e69f7d3b70a795ceacec12b6_amd64 as a component of Red Hat OpenShift GitOps 1.10 | * |
| Red Hat | openshift-gitops-1/gitops-rhel8-operator@sha256:957b420874020d5db2a4d4cdfdab41cda7853695cd29494cba78712d01f43cc5_s390x as a component of Red Hat OpenShift GitOps 1.10 | openshift-gitops-1/gitops-rhel8-operator@sha256:957b420874020d5db2a4d4cdfdab41cda7853695cd29494cba78712d01f43cc5_s390x |
| Red Hat | openshift-gitops-1/gitops-rhel8@sha256:ead329586aa61f94bf8c8a0efb676e8a695fceef5fcacdc568a4a466b492ec5e_s390x as a component of Red Hat OpenShift GitOps 1.10 | openshift-gitops-1/gitops-rhel8@sha256:ead329586aa61f94bf8c8a0efb676e8a695fceef5fcacdc568a4a466b492ec5e_s390x |
| Red Hat | openshift-gitops-1/must-gather-rhel8@sha256:decbecdee5ec0f3a4aaf86a95226d6bf24e2d39cf077048465365e54e613b2d3_arm64 as a component of Red Hat OpenShift GitOps 1.10 | openshift-gitops-1/must-gather-rhel8@sha256:decbecdee5ec0f3a4aaf86a95226d6bf24e2d39cf077048465365e54e613b2d3_arm64 |
| Red Hat | openshift-gitops-1/gitops-rhel8@sha256:f658538471aca8330a9d368f2cd3444416dca9a73e3cfb53b735da6463dcf337_amd64 as a component of Red Hat OpenShift GitOps 1.10 | openshift-gitops-1/gitops-rhel8@sha256:f658538471aca8330a9d368f2cd3444416dca9a73e3cfb53b735da6463dcf337_amd64 |
| Red Hat | openshift-gitops-1/argocd-rhel8@sha256:91476c66096af76505cfc23d46fbcf2478a7417f86d0dedd59e7091088bcf9ef_ppc64le as a component of Red Hat OpenShift GitOps 1.10 | * |
| Red Hat | openshift-gitops-1/kam-delivery-rhel8@sha256:523a76e2f894264701c5e4c02c70b187abb5b3f58136b91bcafbbae3b48eca84_s390x as a component of Red Hat OpenShift GitOps 1.10 | * |
| Red Hat | openshift-gitops-1/gitops-rhel8@sha256:b6c20bfad0e77414638d912d7cae7ff54ce0be30030fa9ba6f13448966c56294_ppc64le as a component of Red Hat OpenShift GitOps 1.10 | openshift-gitops-1/gitops-rhel8@sha256:b6c20bfad0e77414638d912d7cae7ff54ce0be30030fa9ba6f13448966c56294_ppc64le |
| Red Hat | openshift-gitops-1/must-gather-rhel8@sha256:0e76f7330665dc4a4ba52cb6be28f29cb24ed926c583540b721a03bedeb06a6d_s390x as a component of Red Hat OpenShift GitOps 1.10 | * |
| Red Hat | openshift-gitops-1/argo-rollouts-rhel8@sha256:167a4ec509a83696d014c258d640956c733038ae4a711824e4fdd8b004ba7964_amd64 as a component of Red Hat OpenShift GitOps 1.10 | openshift-gitops-1/argo-rollouts-rhel8@sha256:167a4ec509a83696d014c258d640956c733038ae4a711824e4fdd8b004ba7964_amd64 |
| Red Hat | openshift-gitops-1/console-plugin-rhel8@sha256:b8a1bb95b79659d5ff896734be4f28bc64c2d61560c473a4a0f1c14b1e18efe5_ppc64le as a component of Red Hat OpenShift GitOps 1.10 | openshift-gitops-1/console-plugin-rhel8@sha256:b8a1bb95b79659d5ff896734be4f28bc64c2d61560c473a4a0f1c14b1e18efe5_ppc64le |
| Red Hat | openshift-gitops-1/must-gather-rhel8@sha256:2f61991fbda425d6357195149a4ea8b939a2e6d11e9f15e104c86745d21bd22d_amd64 as a component of Red Hat OpenShift GitOps 1.10 | openshift-gitops-1/must-gather-rhel8@sha256:2f61991fbda425d6357195149a4ea8b939a2e6d11e9f15e104c86745d21bd22d_amd64 |
| Red Hat | openshift-gitops-1/kam-delivery-rhel8@sha256:76e7ce8466895cfc12f4f6a024f54674006eaa92b05534685f04089e13eb1364_ppc64le as a component of Red Hat OpenShift GitOps 1.10 | openshift-gitops-1/kam-delivery-rhel8@sha256:76e7ce8466895cfc12f4f6a024f54674006eaa92b05534685f04089e13eb1364_ppc64le |
| Red Hat | openshift-gitops-1/gitops-rhel8-operator@sha256:f4fed927355e4b6b53448194e5325b209738fc9ba990d02db4cb75653a878113_amd64 as a component of Red Hat OpenShift GitOps 1.10 | openshift-gitops-1/gitops-rhel8-operator@sha256:f4fed927355e4b6b53448194e5325b209738fc9ba990d02db4cb75653a878113_amd64 |
| Red Hat | openshift-gitops-1/argocd-rhel8@sha256:d4584964c9659370dac81298abb68f7b5c1eef49ad1a18c7996cd6cdac16926e_arm64 as a component of Red Hat OpenShift GitOps 1.10 | openshift-gitops-1/argocd-rhel8@sha256:d4584964c9659370dac81298abb68f7b5c1eef49ad1a18c7996cd6cdac16926e_arm64 |
| Red Hat | openshift-gitops-1/argo-rollouts-rhel8@sha256:141bc9dec57c4c07ba209755e1b43fb99e2afc195f3430842b275b4c4dfcc5f5_s390x as a component of Red Hat OpenShift GitOps 1.10 | openshift-gitops-1/argo-rollouts-rhel8@sha256:141bc9dec57c4c07ba209755e1b43fb99e2afc195f3430842b275b4c4dfcc5f5_s390x |
| Red Hat | openshift-gitops-1/console-plugin-rhel8@sha256:cf1e480c838479f8137537ab68ae818d219c40e58008a03214b0e5b6a3046730_arm64 as a component of Red Hat OpenShift GitOps 1.10 | openshift-gitops-1/console-plugin-rhel8@sha256:cf1e480c838479f8137537ab68ae818d219c40e58008a03214b0e5b6a3046730_arm64 |
| Red Hat | openshift-gitops-1/argo-rollouts-rhel8@sha256:53a9bf3139c8915efcf58e72193b652923167d38df5a61d5d5fbafb61b3fab0e_ppc64le as a component of Red Hat OpenShift GitOps 1.10 | openshift-gitops-1/argo-rollouts-rhel8@sha256:53a9bf3139c8915efcf58e72193b652923167d38df5a61d5d5fbafb61b3fab0e_ppc64le |
| Red Hat | openshift-gitops-1/gitops-operator-bundle@sha256:ed2a8efb4fc40d2d6a09ceecaa0f16d6bea139e2d7afae6ba85dbae356daf59b_amd64 as a component of Red Hat OpenShift GitOps 1.10 | openshift-gitops-1/gitops-operator-bundle@sha256:ed2a8efb4fc40d2d6a09ceecaa0f16d6bea139e2d7afae6ba85dbae356daf59b_amd64 |
…and 13 more
Timeline
- May 10, 2024 CVE Published
- Apr 24, 2026 CVE Updated
- Apr 25, 2026 Distribution Patch
- Apr 25, 2026 Distribution Patch
- Apr 25, 2026 Security Advisory
- Apr 25, 2026 Security Advisory
References
- https://access.redhat.com/errata/RHSA-2024:2817 advisory
- https://access.redhat.com/security/updates/classification/#important advisory
- https://docs.openshift.com/gitops/1.10/release_notes/gitops-release-notes.html advisory
- https://docs.openshift.com/gitops/1.10/understanding_openshift_gitops/about-redhat-openshift-gitops.html advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2270863 issue
- https://issues.redhat.com/browse/GITOPS-4226 advisory
- https://issues.redhat.com/browse/GITOPS-4513 advisory
- https://issues.redhat.com/browse/GITOPS-4543 advisory
- https://issues.redhat.com/browse/GITOPS-4645 advisory
- https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_2817.json advisory
- https://access.redhat.com/security/cve/CVE-2024-29180 advisory
- https://www.cve.org/CVERecord?id=CVE-2024-29180 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2024-29180 advisory
- https://github.com/webpack/webpack-dev-middleware/security/advisories/GHSA-wr3j-pwj9-hqq6 advisory