Path Traversal in Fedora Repository 3.8.1 Affects File Security
CVE-2025-23011

8.7HIGH

Key Information:

Vendor: Fedora Repository
Status: Fedora Repository
Vendor: CVE Published:; 23 January 2025

🔔 Create Fedora Repository Vulnerability Alert

What is CVE-2025-23011?

Fedora Repository version 3.8.1 is susceptible to a path traversal vulnerability that occurs during the extraction of uploaded archives, commonly referred to as 'Zip Slip'. This flaw enables a remote, authenticated attacker to upload a specially crafted archive that can extract arbitrary JSP files to a directory where they might be executed via an unauthenticated GET request. As version 3.8.1 has reached its end-of-life and is no longer maintained, it is strongly advised to migrate to a currently supported version, such as 6.5.1, released on January 23, 2025, to mitigate potential security risks.

Affected Version(s)

Fedora Repository 0 <= 3.8.1

References

https://raw.githubusercontent.com/cisagov/CSAF/develop/cs...

https://github.com/fcrepo-exts/migration-utils

https://github.com/fcrepo/fcrepo/releases

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 23, 2025
Vulnerability Reserved
Jan 9, 2025