vulnerability
Red Hat JBossEAP: Path Traversal (CVE-2025-48387)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 7 | (AV:N/AC:L/Au:N/C:P/I:P/A:P) | Jun 2, 2025 | Jun 4, 2025 | Jun 6, 2025 |
Severity
7
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Published
Jun 2, 2025
Added
Jun 4, 2025
Modified
Jun 6, 2025
Description
tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1.3, and 1.16.5 have an issue where an extract can write outside the specified dir with a specific tarball. This has been patched in versions 3.0.9, 2.1.3, and 1.16.5. As a workaround, use the ignore option to ignore non files/directories.. A flaw was found in tar-fs. This vulnerability allows files to be written outside the intended extraction directory via specially crafted tar archives. The issue arises from insufficient path validation during tarball extraction, potentially enabling path traversal attacks that can overwrite arbitrary files on the system.
Solution
red-hat-jboss-eap-upgrade-latest
References
- CVE-2025-48387
- https://attackerkb.com/topics/CVE-2025-48387
- URL-https://access.redhat.com/security/cve/CVE-2025-48387
- URL-https://bugzilla.redhat.com/show_bug.cgi?id=2369875
- URL-https://github.com/mafintosh/tar-fs/commit/647447b572bc135c41035e82ca7b894f02b17f0f
- URL-https://github.com/mafintosh/tar-fs/security/advisories/GHSA-8cj5-5rvv-wf4v
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.