Plattform
java
Komponente
migration-utils
Behoben in
3.8.2
CVE-2025-23011 describes a Path Traversal vulnerability within the Fedora Repository software. This flaw allows a remote, authenticated attacker to upload a malicious archive, resulting in the extraction of arbitrary files and potential remote code execution. The vulnerability impacts versions 0 through 3.8.1 of Fedora Repository, which is no longer maintained. Mitigation involves upgrading to a supported version, such as 6.5.1.
The primary impact of CVE-2025-23011 is the potential for remote code execution. An attacker can leverage this vulnerability by crafting a specially designed archive file (a "Zip Slip" attack) and uploading it to the Fedora Repository. Upon extraction, the archive will place a JSP file in a location accessible via an unauthenticated GET request. This allows the attacker to execute arbitrary code on the server, effectively gaining control of the system. The blast radius extends to any data stored or processed by the Fedora Repository, and the attacker could potentially pivot to other systems within the network if the repository server has access to sensitive resources.
CVE-2025-23011 was publicly disclosed on January 23, 2025. The vulnerability is related to the broader class of "Zip Slip" vulnerabilities, where archive extraction processes fail to properly validate file paths, allowing attackers to manipulate the extraction process. There is no indication of active exploitation campaigns at this time, but the availability of a public CVE and the relatively simple nature of the exploit suggest that exploitation is possible. The EPSS score is likely medium, given the ease of exploitation and potential impact.
Organizations and individuals utilizing older, unmaintained versions of Fedora Repository (0–3.8.1) are at significant risk. This includes those relying on Fedora Repository for managing software packages or repositories, particularly in environments where authentication is not adequately secured or input validation is lacking. Shared hosting environments using vulnerable Fedora Repository instances are also particularly vulnerable.
• linux / server: Monitor repository logs for unusual file extraction patterns or attempts to access unexpected directories. Use lsof or ss to identify any unexpected processes accessing JSP files.
lsof /path/to/repository/jsp_directory• generic web: Check access logs for GET requests targeting JSP files in unexpected locations.
grep "/jsp_directory/" /var/log/apache2/access.log• java: Examine the Fedora Repository application code for insecure archive extraction routines. Look for code that doesn't properly validate file paths during extraction.
release
disclosure
Exploit-Status
EPSS
2.09% (84% Perzentil)
CISA SSVC
CVSS-Vektor
The recommended mitigation for CVE-2025-23011 is to upgrade to a supported version of Fedora Repository, specifically 6.5.1 or later. If upgrading immediately is not feasible, consider implementing temporary workarounds. While a direct WAF rule targeting Zip Slip attacks is complex, restricting file uploads to known safe types and validating archive contents can offer some protection. Regularly scan uploaded archives for suspicious file paths. After upgrading, confirm the vulnerability is resolved by attempting to upload a test archive with a crafted path traversal payload and verifying that the extraction fails or is properly sanitized.
Actualice Fedora Repository a la versión 6.5.1 o superior. Esta versión corrige la vulnerabilidad de path traversal al extraer archivos. Se recomienda migrar a una versión soportada lo antes posible.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-23011 is a Path Traversal vulnerability affecting Fedora Repository versions 0–3.8.1, allowing attackers to upload malicious archives and potentially execute code.
You are affected if you are using Fedora Repository versions 0 through 3.8.1. Upgrade to 6.5.1 or later to mitigate the risk.
The primary fix is to upgrade to Fedora Repository version 6.5.1 or a later supported version. Consider input validation as a temporary workaround.
While no widespread exploitation has been publicly confirmed, the vulnerability pattern is well-known, and exploitation is possible.
Refer to the Fedora Security Advisories for the latest information: https://lists.fedoraproject.org/archives/fedora-security-announce/
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine pom.xml-Datei hoch und wir sagen dir sofort, ob du betroffen bist.