{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"important"},"category":"csaf_vex","csaf_version":"2.0","distribution":{"text":"Copyright 2024 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"SUSE CVE-2024-0406","title":"Title"},{"category":"description","text":"A flaw was discovered in the mholt/archiver package. This flaw allows an attacker to create a specially crafted tar file, which, when unpacked, may allow access to restricted files or directories. This issue can allow the creation or overwriting of files with the user's or application's privileges using the library.","title":"Description of the CVE"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"CVE-2024-0406","url":"https://www.suse.com/security/cve/CVE-2024-0406"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1241181 for CVE-2024-0406","url":"https://bugzilla.suse.com/1241181"},{"category":"external","summary":"Advisory link for openSUSE-SU-2025:14996-1","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/WDWOGLHCP7BB4S74RDGLKFSALZGMVZWZ/"},{"category":"external","summary":"Advisory link for openSUSE-SU-2025:15004-1","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6KWGLCFENU7T4T4H7YR4P6HDEUWVL5XF/"}],"title":"SUSE CVE CVE-2024-0406","tracking":{"current_release_date":"2025-12-15T00:26:55Z","generator":{"date":"2025-04-15T08:08:22Z","engine":{"name":"cve-database.git:bin/generate-csaf-vex.pl","version":"1"}},"id":"CVE-2024-0406","initial_release_date":"2025-04-15T08:08:22Z","revision_history":[{"date":"2025-04-15T08:08:22Z","number":"2","summary":"Current version"},{"date":"2025-04-16T02:43:16Z","number":"3","summary":"Current version"},{"date":"2025-04-17T01:41:31Z","number":"4","summary":"Current version"},{"date":"2025-04-18T01:40:42Z","number":"5","summary":"Current version"},{"date":"2025-04-26T03:29:24Z","number":"6","summary":"Current version"},{"date":"2025-12-15T00:26:55Z","number":"7","summary":"more updates released"}],"status":"interim","version":"7"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_name","name":"openSUSE Leap 16.0","product":{"name":"openSUSE Leap 16.0","product_id":"openSUSE Leap 16.0"}},{"category":"product_name","name":"openSUSE Tumbleweed","product":{"name":"openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed","product_identification_helper":{"cpe":"cpe:/o:opensuse:tumbleweed"}}},{"category":"product_version","name":"hauler-1.2.2-1.1","product":{"name":"hauler-1.2.2-1.1","product_id":"hauler-1.2.2-1.1","product_identification_helper":{"purl":"pkg:rpm/suse/hauler@1.2.2-1.1"}}},{"category":"product_version","name":"hauler-1.3.1-bp160.1.1","product":{"name":"hauler-1.3.1-bp160.1.1","product_id":"hauler-1.3.1-bp160.1.1","product_identification_helper":{"purl":"pkg:rpm/suse/hauler@1.3.1-bp160.1.1"}}},{"category":"product_version","name":"subfinder-2.7.0-2.1","product":{"name":"subfinder-2.7.0-2.1","product_id":"subfinder-2.7.0-2.1","product_identification_helper":{"purl":"pkg:rpm/suse/subfinder@2.7.0-2.1"}}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"hauler-1.3.1-bp160.1.1 as component of openSUSE Leap 16.0","product_id":"openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1"},"product_reference":"hauler-1.3.1-bp160.1.1","relates_to_product_reference":"openSUSE Leap 16.0"},{"category":"default_component_of","full_product_name":{"name":"hauler-1.2.2-1.1 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:hauler-1.2.2-1.1"},"product_reference":"hauler-1.2.2-1.1","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"subfinder-2.7.0-2.1 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:subfinder-2.7.0-2.1"},"product_reference":"subfinder-2.7.0-2.1","relates_to_product_reference":"openSUSE Tumbleweed"}]},"vulnerabilities":[{"cve":"CVE-2024-0406","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2024-0406"}],"notes":[{"category":"general","text":"A flaw was discovered in the mholt/archiver package. This flaw allows an attacker to create a specially crafted tar file, which, when unpacked, may allow access to restricted files or directories. This issue can allow the creation or overwriting of files with the user's or application's privileges using the library.","title":"CVE description"}],"product_status":{"recommended":["openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1","openSUSE Tumbleweed:hauler-1.2.2-1.1","openSUSE Tumbleweed:subfinder-2.7.0-2.1"]},"references":[{"category":"external","summary":"CVE-2024-0406","url":"https://www.suse.com/security/cve/CVE-2024-0406"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1241181 for CVE-2024-0406","url":"https://bugzilla.suse.com/1241181"},{"category":"external","summary":"Advisory link for openSUSE-SU-2025:14996-1","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/WDWOGLHCP7BB4S74RDGLKFSALZGMVZWZ/"},{"category":"external","summary":"Advisory link for openSUSE-SU-2025:15004-1","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6KWGLCFENU7T4T4H7YR4P6HDEUWVL5XF/"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1","openSUSE Tumbleweed:hauler-1.2.2-1.1","openSUSE Tumbleweed:subfinder-2.7.0-2.1"]}],"scores":[{"cvss_v3":{"baseScore":7.8,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","version":"3.1"},"products":["openSUSE Leap 16.0:hauler-1.3.1-bp160.1.1","openSUSE Tumbleweed:hauler-1.2.2-1.1","openSUSE Tumbleweed:subfinder-2.7.0-2.1"]}],"threats":[{"category":"impact","date":"2024-02-01T18:00:15Z","details":"important"}],"title":"CVE-2024-0406"}]}