{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"moderate"},"category":"csaf_vex","csaf_version":"2.0","distribution":{"text":"Copyright 2024 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"SUSE CVE-2024-56514","title":"Title"},{"category":"description","text":"Karmada is a Kubernetes management system that allows users to run cloud-native applications across multiple Kubernetes clusters and clouds. Prior to version 1.12.0, both in karmadactl and karmada-operator, it is possible to supply a filesystem path, or an HTTP(s) URL to retrieve the custom resource definitions(CRDs) needed by Karmada. The CRDs are downloaded as a gzipped tarfile and are vulnerable to a TarSlip vulnerability. An attacker able to supply a malicious CRD file into a Karmada initialization could write arbitrary files in arbitrary paths of the filesystem. From Karmada version 1.12.0, when processing custom CRDs files, CRDs archive verification is utilized to enhance file system robustness. A workaround is available. Someone who needs to set flag `--crd` to customize the CRD files required for Karmada initialization when using `karmadactl init` to set up Karmada can manually inspect the CRD files to check whether they contain sequences such as `../` that would alter file paths, to determine if they potentially include malicious files. When using karmada-operator to set up Karmada, one must upgrade one's karmada-operator to one of the fixed versions.","title":"Description of the CVE"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"CVE-2024-56514","url":"https://www.suse.com/security/cve/CVE-2024-56514"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"Advisory link for SUSE-SU-2025:0060-1","url":"https://lists.suse.com/pipermail/sle-security-updates/2025-January/020087.html"},{"category":"external","summary":"Advisory link for openSUSE-SU-2025:14624-1","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UV63VQGB6Y3V7AIZHIKF3PMFVIHM32MI/"}],"title":"SUSE CVE CVE-2024-56514","tracking":{"current_release_date":"2026-03-13T10:30:07Z","generator":{"date":"2025-01-10T00:23:26Z","engine":{"name":"cve-database.git:bin/generate-csaf-vex.pl","version":"1"}},"id":"CVE-2024-56514","initial_release_date":"2025-01-10T00:23:26Z","revision_history":[{"date":"2025-01-10T00:23:26Z","number":"2","summary":"Current version"},{"date":"2025-01-11T00:22:19Z","number":"3","summary":"Current version"},{"date":"2025-01-14T00:20:46Z","number":"4","summary":"Current version"},{"date":"2025-02-14T04:01:56Z","number":"5","summary":"Current version"},{"date":"2025-02-16T03:54:17Z","number":"6","summary":"Current version"},{"date":"2025-03-15T04:12:31Z","number":"7","summary":"Current version"},{"date":"2025-04-24T11:41:44Z","number":"8","summary":"Current version"},{"date":"2025-06-17T02:32:35Z","number":"9","summary":"Current version"},{"date":"2025-11-03T01:06:38Z","number":"10","summary":"Current version"},{"date":"2026-01-16T00:42:10Z","number":"11","summary":"unknown changes"},{"date":"2026-03-11T17:52:54Z","number":"12","summary":"unknown changes"},{"date":"2026-03-13T10:30:07Z","number":"13","summary":"unknown changes"}],"status":"interim","version":"13"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_name","name":"SUSE Linux Enterprise Server 16.0","product":{"name":"SUSE Linux Enterprise Server 16.0","product_id":"SUSE Linux Enterprise Server 16.0","product_identification_helper":{"cpe":"cpe:/o:suse:sles:16:16.0:server"}}},{"category":"product_name","name":"openSUSE Tumbleweed","product":{"name":"openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed","product_identification_helper":{"cpe":"cpe:/o:opensuse:tumbleweed"}}},{"category":"product_version","name":"govulncheck-vulndb-0.0.20250108T191942-1.1","product":{"name":"govulncheck-vulndb-0.0.20250108T191942-1.1","product_id":"govulncheck-vulndb-0.0.20250108T191942-1.1","product_identification_helper":{"purl":"pkg:rpm/suse/govulncheck-vulndb@0.0.20250108T191942-1.1?upstream=govulncheck-vulndb-0.0.20250108T191942-1.1.src.rpm"}}},{"category":"product_version","name":"govulncheck-vulndb-0.0.20250814T182633-160000.1.2","product":{"name":"govulncheck-vulndb-0.0.20250814T182633-160000.1.2","product_id":"govulncheck-vulndb-0.0.20250814T182633-160000.1.2","product_identification_helper":{"purl":"pkg:rpm/suse/govulncheck-vulndb@0.0.20250814T182633-160000.1.2?upstream=govulncheck-vulndb-0.0.20250814T182633-160000.1.2.src.rpm"}}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"govulncheck-vulndb-0.0.20250814T182633-160000.1.2 as component of SUSE Linux Enterprise Server 16.0","product_id":"SUSE Linux Enterprise Server 16.0:govulncheck-vulndb-0.0.20250814T182633-160000.1.2"},"product_reference":"govulncheck-vulndb-0.0.20250814T182633-160000.1.2","relates_to_product_reference":"SUSE Linux Enterprise Server 16.0"},{"category":"default_component_of","full_product_name":{"name":"govulncheck-vulndb-0.0.20250108T191942-1.1 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1"},"product_reference":"govulncheck-vulndb-0.0.20250108T191942-1.1","relates_to_product_reference":"openSUSE Tumbleweed"}]},"vulnerabilities":[{"cve":"CVE-2024-56514","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2024-56514"}],"notes":[{"category":"general","text":"Karmada is a Kubernetes management system that allows users to run cloud-native applications across multiple Kubernetes clusters and clouds. Prior to version 1.12.0, both in karmadactl and karmada-operator, it is possible to supply a filesystem path, or an HTTP(s) URL to retrieve the custom resource definitions(CRDs) needed by Karmada. The CRDs are downloaded as a gzipped tarfile and are vulnerable to a TarSlip vulnerability. An attacker able to supply a malicious CRD file into a Karmada initialization could write arbitrary files in arbitrary paths of the filesystem. From Karmada version 1.12.0, when processing custom CRDs files, CRDs archive verification is utilized to enhance file system robustness. A workaround is available. Someone who needs to set flag `--crd` to customize the CRD files required for Karmada initialization when using `karmadactl init` to set up Karmada can manually inspect the CRD files to check whether they contain sequences such as `../` that would alter file paths, to determine if they potentially include malicious files. When using karmada-operator to set up Karmada, one must upgrade one's karmada-operator to one of the fixed versions.","title":"CVE description"}],"product_status":{"recommended":["SUSE Linux Enterprise Server 16.0:govulncheck-vulndb-0.0.20250814T182633-160000.1.2","openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1"]},"references":[{"category":"external","summary":"CVE-2024-56514","url":"https://www.suse.com/security/cve/CVE-2024-56514"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"Advisory link for SUSE-SU-2025:0060-1","url":"https://lists.suse.com/pipermail/sle-security-updates/2025-January/020087.html"},{"category":"external","summary":"Advisory link for openSUSE-SU-2025:14624-1","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UV63VQGB6Y3V7AIZHIKF3PMFVIHM32MI/"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["SUSE Linux Enterprise Server 16.0:govulncheck-vulndb-0.0.20250814T182633-160000.1.2","openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250108T191942-1.1"]}],"threats":[{"category":"impact","date":"2025-01-03T19:00:19Z","details":"moderate"}],"title":"CVE-2024-56514"}]}