CVE-2024-4981

Publication date 12 May 2025

Last updated 4 February 2026

Ubuntu priority

Cvss 3 Severity Score

Description

A vulnerability was discovered in Pagure server. If a malicious user were to submit a git repository with symbolic links, the server could unintentionally show incorporate and make visible content from outside the git repo.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
pagure	25.10 questing	Not affected
	25.04 plucky	Ignored end of life, was needs-triage
	24.10 oracular	Ignored end of life, was needs-triage
	24.04 LTS noble	Fixed 5.11.3+dfsg-2.1ubuntu0.2
	22.04 LTS jammy	Fixed 5.11.3+dfsg-1ubuntu0.1
	20.04 LTS focal	Fixed 5.8.1+dfsg-3ubuntu0.1~esm1

Get expanded security coverage with Ubuntu Pro

Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.

Get Ubuntu Pro 30-day free trial

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
pagure	Upstream: https://pagure.io/pagure/c/454f2677bc50d7176f07da9784882eb2176537f4

Severity score breakdown

Parameter	Value
Base score	7.6 · High
Attack vector	Network
Attack complexity	Low
Privileges required	Low
User interaction	None
Scope	Unchanged
Confidentiality	High
Integrity impact	Low
Availability impact	Low
Vector	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

References

Related Ubuntu Security Notices (USN)

USN-7984-1
Pagure vulnerabilities
29 January 2026