CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-4981: Pagure: _update_file_in_git() follows symbolic links in temporary clones

7.6 CVSS

Description

A vulnerability was discovered in Pagure server. If a malicious user were to submit a git repository with symbolic links, the server could unintentionally show incorporate and make visible content from outside the git repo.

Classification

CVE ID: CVE-2024-4981

CVSS Base Severity: HIGH

CVSS Base Score: 7.6

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

Problem Types

Files or Directories Accessible to External Parties

Affected Products

Vendor:

Product:

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.03% (probability of being exploited)

EPSS Percentile: 7.28% (scored less or equal to compared to others)

EPSS Date: 2025-06-10 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2024-4981
https://access.redhat.com/security/cve/CVE-2024-4981
https://bugzilla.redhat.com/show_bug.cgi?id=2278745
https://bugzilla.redhat.com/show_bug.cgi?id=2280723

Timeline

2025-05-12 19:40:11 UTC
CVE

Pagure: _update_file_in_git() follows symbolic links in temporary clones