Vulnerabilites related to tar_project - tar
Vulnerability from fkie_nvd
Published
2021-08-03 19:15
Modified
2024-11-21 06:07
Summary
The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example `/home/user/.bashrc` would turn into `home/user/.bashrc`. This logic was insufficient when file paths contained repeated path roots such as `////home/user/.bashrc`. `node-tar` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. `///home/user/.bashrc`) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom `onentry` method which sanitizes the `entry.path` or a `filter` method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar.



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:tar_project:tar:*:*:*:*:*:node.js:*:*",
                     matchCriteriaId: "48083832-29DB-4428-836C-BC1072AC6384",
                     versionEndExcluding: "3.2.2",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:tar_project:tar:*:*:*:*:*:node.js:*:*",
                     matchCriteriaId: "77DE1692-7EF1-43FF-95CB-B1EAA8CB030B",
                     versionEndExcluding: "4.4.14",
                     versionStartIncluding: "4.0.0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:tar_project:tar:*:*:*:*:*:node.js:*:*",
                     matchCriteriaId: "EF8B9011-1EAA-4D9E-89CA-597D7309EE66",
                     versionEndExcluding: "5.0.6",
                     versionStartIncluding: "5.0.0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:tar_project:tar:*:*:*:*:*:node.js:*:*",
                     matchCriteriaId: "24EC2FC6-7549-4C94-9560-54A88703BCA5",
                     versionEndExcluding: "6.1.1",
                     versionStartIncluding: "6.0.0",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:oracle:graalvm:20.3.3:*:*:*:enterprise:*:*:*",
                     matchCriteriaId: "53B2BB06-A2F7-4603-89C3-C8500E55483A",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:graalvm:21.2.0:*:*:*:enterprise:*:*:*",
                     matchCriteriaId: "01E88C86-8C04-4A4A-BF45-9082AA783056",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "B0F46497-4AB0-49A7-9453-CC26837BF253",
                     versionEndExcluding: "1.0.1.1",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "The npm package \"tar\" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example `/home/user/.bashrc` would turn into `home/user/.bashrc`. This logic was insufficient when file paths contained repeated path roots such as `////home/user/.bashrc`. `node-tar` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. `///home/user/.bashrc`) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom `onentry` method which sanitizes the `entry.path` or a `filter` method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar.",
      },
      {
         lang: "es",
         value: "El paquete npm \"tar\" (también se conoce como node-tar) versiones anteriores a 6.1.1, 5.0.6, 4.4.14 y 3.3.2, presenta una vulnerabilidad de Creación y Sobrescritura de archivos arbitraria debido a un saneo insuficiente de rutas absolutas. node-tar pretende impedir la extracción de rutas absolutas de archivos al convertir las rutas absolutas en relativas cuando el flag \"preservePaths\" no está establecido en \"true\". Esto se consigue eliminando el root de la ruta absoluta de cualquier ruta de archivo absoluta contenida en un archivo tar. Por ejemplo, \"home/user/.bashrc\" se convertiría en \"home/user/.bashrc\". Esta lógica era insuficiente cuando las rutas de los archivos contenían roots de ruta repetidas, como \"////home/user/.bashrc\". \"node-tar\" sólo eliminaba un único root de esas rutas. Cuando se daba una ruta de archivo absoluta con raíces de ruta repetidas, la ruta resultante (por ejemplo, \"///home/user/.bashrc\") seguía resolviéndose como una ruta absoluta, permitiendo así la creación y sobrescritura de archivos arbitraria. Este problema se ha solucionado en las versiones 3.2.2, 4.4.14, 5.0.6 y 6.1.1. Los usuarios pueden solucionar esta vulnerabilidad sin necesidad de actualizar al crear un método personalizado \"onentry\" que sanee \"entry.path\" o un método \"filter\" que elimine las entradas con rutas absolutas. Consulte el aviso de GitHub mencionado para obtener más detalles. Tenga en cuenta CVE-2021-32803 que corrige un error similar en versiones posteriores de tar",
      },
   ],
   id: "CVE-2021-32804",
   lastModified: "2024-11-21T06:07:46.800",
   metrics: {
      cvssMetricV2: [
         {
            acInsufInfo: false,
            baseSeverity: "MEDIUM",
            cvssData: {
               accessComplexity: "MEDIUM",
               accessVector: "NETWORK",
               authentication: "NONE",
               availabilityImpact: "PARTIAL",
               baseScore: 5.8,
               confidentialityImpact: "NONE",
               integrityImpact: "PARTIAL",
               vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:P",
               version: "2.0",
            },
            exploitabilityScore: 8.6,
            impactScore: 4.9,
            obtainAllPrivilege: false,
            obtainOtherPrivilege: false,
            obtainUserPrivilege: false,
            source: "nvd@nist.gov",
            type: "Primary",
            userInteractionRequired: true,
         },
      ],
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "LOCAL",
               availabilityImpact: "NONE",
               baseScore: 8.2,
               baseSeverity: "HIGH",
               confidentialityImpact: "HIGH",
               integrityImpact: "HIGH",
               privilegesRequired: "NONE",
               scope: "CHANGED",
               userInteraction: "REQUIRED",
               vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
               version: "3.1",
            },
            exploitabilityScore: 1.8,
            impactScore: 5.8,
            source: "security-advisories@github.com",
            type: "Secondary",
         },
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "HIGH",
               baseScore: 8.1,
               baseSeverity: "HIGH",
               confidentialityImpact: "NONE",
               integrityImpact: "HIGH",
               privilegesRequired: "NONE",
               scope: "UNCHANGED",
               userInteraction: "REQUIRED",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
               version: "3.1",
            },
            exploitabilityScore: 2.8,
            impactScore: 5.2,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2021-08-03T19:15:08.410",
   references: [
      {
         source: "security-advisories@github.com",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://github.com/npm/node-tar/commit/1f036ca23f64a547bdd6c79c1a44bc62e8115da4",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Mitigation",
            "Third Party Advisory",
         ],
         url: "https://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Mitigation",
            "Third Party Advisory",
         ],
         url: "https://www.npmjs.com/advisories/1770",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Product",
            "Third Party Advisory",
         ],
         url: "https://www.npmjs.com/package/tar",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://www.oracle.com/security-alerts/cpuoct2021.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://github.com/npm/node-tar/commit/1f036ca23f64a547bdd6c79c1a44bc62e8115da4",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Mitigation",
            "Third Party Advisory",
         ],
         url: "https://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Mitigation",
            "Third Party Advisory",
         ],
         url: "https://www.npmjs.com/advisories/1770",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Product",
            "Third Party Advisory",
         ],
         url: "https://www.npmjs.com/package/tar",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://www.oracle.com/security-alerts/cpuoct2021.html",
      },
   ],
   sourceIdentifier: "security-advisories@github.com",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-22",
            },
         ],
         source: "security-advisories@github.com",
         type: "Secondary",
      },
      {
         description: [
            {
               lang: "en",
               value: "CWE-22",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

Vulnerability from fkie_nvd
Published
2019-08-26 13:15
Modified
2024-11-21 04:02
Summary
An issue was discovered in the tar crate before 0.4.16 for Rust. Arbitrary file overwrite can occur via a symlink or hardlink in a TAR archive.
Impacted products
Vendor Product Version
tar_project tar *



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:tar_project:tar:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "9DE891D1-1716-46D5-9A15-9F665231A083",
                     versionEndExcluding: "0.4.16",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "An issue was discovered in the tar crate before 0.4.16 for Rust. Arbitrary file overwrite can occur via a symlink or hardlink in a TAR archive.",
      },
      {
         lang: "es",
         value: "Se descubrió  un problema en el paquete (crate) tar versiones anteriores a 0.4.16 para Rust. Una sobrescritura arbitraria de archivos puede producirse por medio de un enlace simbólico o un enlace físico en un archivo TAR.",
      },
   ],
   id: "CVE-2018-20990",
   lastModified: "2024-11-21T04:02:38.327",
   metrics: {
      cvssMetricV2: [
         {
            acInsufInfo: false,
            baseSeverity: "MEDIUM",
            cvssData: {
               accessComplexity: "LOW",
               accessVector: "NETWORK",
               authentication: "NONE",
               availabilityImpact: "PARTIAL",
               baseScore: 6.4,
               confidentialityImpact: "NONE",
               integrityImpact: "PARTIAL",
               vectorString: "AV:N/AC:L/Au:N/C:N/I:P/A:P",
               version: "2.0",
            },
            exploitabilityScore: 10,
            impactScore: 4.9,
            obtainAllPrivilege: false,
            obtainOtherPrivilege: false,
            obtainUserPrivilege: false,
            source: "nvd@nist.gov",
            type: "Primary",
            userInteractionRequired: false,
         },
      ],
      cvssMetricV30: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 7.5,
               baseSeverity: "HIGH",
               confidentialityImpact: "NONE",
               integrityImpact: "HIGH",
               privilegesRequired: "NONE",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
               version: "3.0",
            },
            exploitabilityScore: 3.9,
            impactScore: 3.6,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2019-08-26T13:15:11.070",
   references: [
      {
         source: "cve@mitre.org",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://rustsec.org/advisories/RUSTSEC-2018-0002.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Third Party Advisory",
         ],
         url: "https://rustsec.org/advisories/RUSTSEC-2018-0002.html",
      },
   ],
   sourceIdentifier: "cve@mitre.org",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-59",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

Vulnerability from fkie_nvd
Published
2021-08-10 23:15
Modified
2024-11-21 06:17
Summary
An issue was discovered in the tar crate before 0.4.36 for Rust. When symlinks are present in a TAR archive, extraction can create arbitrary directories via .. traversal.
Impacted products
Vendor Product Version
tar_project tar *



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:tar_project:tar:*:*:*:*:*:rust:*:*",
                     matchCriteriaId: "031C7301-774E-4111-B8FD-2A781AB71D1B",
                     versionEndExcluding: "0.4.36",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "An issue was discovered in the tar crate before 0.4.36 for Rust. When symlinks are present in a TAR archive, extraction can create arbitrary directories via .. traversal.",
      },
      {
         lang: "es",
         value: "Se ha detectado un problema en la crate tar versiones anteriores a 0.4.36 para Rust. Cuando los enlaces simbólicos están presentes en un archivo TAR, la extracción puede crear directorios arbitrarios por medio de .. Salto",
      },
   ],
   id: "CVE-2021-38511",
   lastModified: "2024-11-21T06:17:17.140",
   metrics: {
      cvssMetricV2: [
         {
            acInsufInfo: false,
            baseSeverity: "MEDIUM",
            cvssData: {
               accessComplexity: "LOW",
               accessVector: "NETWORK",
               authentication: "NONE",
               availabilityImpact: "NONE",
               baseScore: 5,
               confidentialityImpact: "NONE",
               integrityImpact: "PARTIAL",
               vectorString: "AV:N/AC:L/Au:N/C:N/I:P/A:N",
               version: "2.0",
            },
            exploitabilityScore: 10,
            impactScore: 2.9,
            obtainAllPrivilege: false,
            obtainOtherPrivilege: false,
            obtainUserPrivilege: false,
            source: "nvd@nist.gov",
            type: "Primary",
            userInteractionRequired: false,
         },
      ],
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "NONE",
               baseScore: 7.5,
               baseSeverity: "HIGH",
               confidentialityImpact: "NONE",
               integrityImpact: "HIGH",
               privilegesRequired: "NONE",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
               version: "3.1",
            },
            exploitabilityScore: 3.9,
            impactScore: 3.6,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2021-08-10T23:15:07.237",
   references: [
      {
         source: "cve@mitre.org",
         tags: [
            "Exploit",
            "Third Party Advisory",
         ],
         url: "https://raw.githubusercontent.com/rustsec/advisory-db/main/crates/tar/RUSTSEC-2021-0080.md",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Exploit",
            "Third Party Advisory",
         ],
         url: "https://rustsec.org/advisories/RUSTSEC-2021-0080.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Exploit",
            "Third Party Advisory",
         ],
         url: "https://raw.githubusercontent.com/rustsec/advisory-db/main/crates/tar/RUSTSEC-2021-0080.md",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Exploit",
            "Third Party Advisory",
         ],
         url: "https://rustsec.org/advisories/RUSTSEC-2021-0080.html",
      },
   ],
   sourceIdentifier: "cve@mitre.org",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-59",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

Vulnerability from fkie_nvd
Published
2021-08-03 19:15
Modified
2024-11-21 06:07
Summary
The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. `node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary `stat` calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the `node-tar` directory cache. When a directory is present in the directory cache, subsequent calls to mkdir for that directory are skipped. However, this is also where `node-tar` checks for symlinks occur. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass `node-tar` symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.3, 4.4.15, 5.0.7 and 6.1.2.



{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:tar_project:tar:*:*:*:*:*:node.js:*:*",
                     matchCriteriaId: "46F4025D-5388-42D2-A9E8-012087C68BC6",
                     versionEndExcluding: "3.2.3",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:tar_project:tar:*:*:*:*:*:node.js:*:*",
                     matchCriteriaId: "75A17A88-D363-44AE-AD91-C174ACC20558",
                     versionEndExcluding: "4.4.15",
                     versionStartIncluding: "4.0.0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:tar_project:tar:*:*:*:*:*:node.js:*:*",
                     matchCriteriaId: "5335FC42-CC5E-4DD6-9803-FF4141788AD1",
                     versionEndExcluding: "5.0.7",
                     versionStartIncluding: "5.0.0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:tar_project:tar:*:*:*:*:*:node.js:*:*",
                     matchCriteriaId: "F18C920A-6E1F-4EDD-ABAF-701653079888",
                     versionEndExcluding: "6.1.2",
                     versionStartIncluding: "6.0.0",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:oracle:graalvm:20.3.3:*:*:*:enterprise:*:*:*",
                     matchCriteriaId: "53B2BB06-A2F7-4603-89C3-C8500E55483A",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:oracle:graalvm:21.2.0:*:*:*:enterprise:*:*:*",
                     matchCriteriaId: "01E88C86-8C04-4A4A-BF45-9082AA783056",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "B0F46497-4AB0-49A7-9453-CC26837BF253",
                     versionEndExcluding: "1.0.1.1",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "The npm package \"tar\" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. `node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary `stat` calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the `node-tar` directory cache. When a directory is present in the directory cache, subsequent calls to mkdir for that directory are skipped. However, this is also where `node-tar` checks for symlinks occur. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass `node-tar` symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.3, 4.4.15, 5.0.7 and 6.1.2.",
      },
      {
         lang: "es",
         value: "El paquete npm \"tar\" (también se conoce como node-tar) versiones anteriores a 6.1.2, 5.0.7, 4.4.15 y 3.2.3 presenta una vulnerabilidad de Creación y Sobrescritura de archivos arbitraria por medio de una protección insuficiente de enlaces simbólicos. El objetivo de \"node-tar\" es garantizar que no se extraiga ningún archivo cuya ubicación pueda ser modificada por un enlace simbólico. Esto se consigue, en parte, al asegurar que los directorios extraídos no sean enlaces simbólicos. Adicionalmente, para evitar llamadas innecesarias a \"stat\" para determinar si una ruta dada es un directorio, las rutas se almacenan en caché cuando los directorios son creados. Esta lógica era insuficiente cuando se extraían archivos tar que contenían tanto un directorio como un enlace simbólico con el mismo nombre que el directorio. Este orden de operaciones resultaba que el directorio fuera creado y se añadiera a la caché de directorios del \"nodo-tar\". Cuando un directorio está presente en la caché de directorios, las siguientes llamadas a mkdir para ese directorio se saltan. Sin embargo, aquí es también donde \"node-tar\" comprueba que los enlaces simbólicos ocurran. Al crear primero un directorio, y luego reemplazando ese directorio con un enlace simbólico, era posible así omitir las comprobaciones de enlaces simbólicos de \"node-tar\" en los directorios, permitiendo esencialmente que un archivo tar no confiable se enlazara simbólicamente en una ubicación arbitraria y que subsecuentemente se extrajeran archivos arbitrarios en esa ubicación, permitiendo así la creación y sobrescritura de archivos arbitraria. Este problema se solucionó en las versiones 3.2.3, 4.4.15, 5.0.7 y 6.1.2",
      },
   ],
   id: "CVE-2021-32803",
   lastModified: "2024-11-21T06:07:46.637",
   metrics: {
      cvssMetricV2: [
         {
            acInsufInfo: false,
            baseSeverity: "MEDIUM",
            cvssData: {
               accessComplexity: "MEDIUM",
               accessVector: "NETWORK",
               authentication: "NONE",
               availabilityImpact: "PARTIAL",
               baseScore: 5.8,
               confidentialityImpact: "NONE",
               integrityImpact: "PARTIAL",
               vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:P",
               version: "2.0",
            },
            exploitabilityScore: 8.6,
            impactScore: 4.9,
            obtainAllPrivilege: false,
            obtainOtherPrivilege: false,
            obtainUserPrivilege: false,
            source: "nvd@nist.gov",
            type: "Primary",
            userInteractionRequired: true,
         },
      ],
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "LOCAL",
               availabilityImpact: "NONE",
               baseScore: 8.2,
               baseSeverity: "HIGH",
               confidentialityImpact: "HIGH",
               integrityImpact: "HIGH",
               privilegesRequired: "NONE",
               scope: "CHANGED",
               userInteraction: "REQUIRED",
               vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
               version: "3.1",
            },
            exploitabilityScore: 1.8,
            impactScore: 5.8,
            source: "security-advisories@github.com",
            type: "Secondary",
         },
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "HIGH",
               baseScore: 8.1,
               baseSeverity: "HIGH",
               confidentialityImpact: "NONE",
               integrityImpact: "HIGH",
               privilegesRequired: "NONE",
               scope: "UNCHANGED",
               userInteraction: "REQUIRED",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
               version: "3.1",
            },
            exploitabilityScore: 2.8,
            impactScore: 5.2,
            source: "nvd@nist.gov",
            type: "Primary",
         },
      ],
   },
   published: "2021-08-03T19:15:08.297",
   references: [
      {
         source: "security-advisories@github.com",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://github.com/npm/node-tar/commit/9dbdeb6df8e9dbd96fa9e84341b9d74734be6c20",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Mitigation",
            "Third Party Advisory",
         ],
         url: "https://github.com/npm/node-tar/security/advisories/GHSA-r628-mhmh-qjhw",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Mitigation",
            "Third Party Advisory",
         ],
         url: "https://www.npmjs.com/advisories/1771",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Product",
            "Third Party Advisory",
         ],
         url: "https://www.npmjs.com/package/tar",
      },
      {
         source: "security-advisories@github.com",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://www.oracle.com/security-alerts/cpuoct2021.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://github.com/npm/node-tar/commit/9dbdeb6df8e9dbd96fa9e84341b9d74734be6c20",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Mitigation",
            "Third Party Advisory",
         ],
         url: "https://github.com/npm/node-tar/security/advisories/GHSA-r628-mhmh-qjhw",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Mitigation",
            "Third Party Advisory",
         ],
         url: "https://www.npmjs.com/advisories/1771",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Product",
            "Third Party Advisory",
         ],
         url: "https://www.npmjs.com/package/tar",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Patch",
            "Third Party Advisory",
         ],
         url: "https://www.oracle.com/security-alerts/cpuoct2021.html",
      },
   ],
   sourceIdentifier: "security-advisories@github.com",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-22",
            },
         ],
         source: "security-advisories@github.com",
         type: "Secondary",
      },
      {
         description: [
            {
               lang: "en",
               value: "CWE-59",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

cve-2018-20990
Vulnerability from cvelistv5
Published
2019-08-26 12:39
Modified
2024-08-05 12:19
Severity ?
Summary
An issue was discovered in the tar crate before 0.4.16 for Rust. Arbitrary file overwrite can occur via a symlink or hardlink in a TAR archive.
References
Impacted products
Vendor Product Version
n/a n/a Version: n/a
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-05T12:19:27.012Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://rustsec.org/advisories/RUSTSEC-2018-0002.html",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "An issue was discovered in the tar crate before 0.4.16 for Rust. Arbitrary file overwrite can occur via a symlink or hardlink in a TAR archive.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2019-08-26T12:39:33",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://rustsec.org/advisories/RUSTSEC-2018-0002.html",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "cve@mitre.org",
               ID: "CVE-2018-20990",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "n/a",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "n/a",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "n/a",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "An issue was discovered in the tar crate before 0.4.16 for Rust. Arbitrary file overwrite can occur via a symlink or hardlink in a TAR archive.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "n/a",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://rustsec.org/advisories/RUSTSEC-2018-0002.html",
                     refsource: "MISC",
                     url: "https://rustsec.org/advisories/RUSTSEC-2018-0002.html",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2018-20990",
      datePublished: "2019-08-26T12:39:33",
      dateReserved: "2019-08-25T00:00:00",
      dateUpdated: "2024-08-05T12:19:27.012Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2021-32804
Vulnerability from cvelistv5
Published
2021-08-03 19:10
Modified
2024-08-03 23:33
Summary
The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example `/home/user/.bashrc` would turn into `home/user/.bashrc`. This logic was insufficient when file paths contained repeated path roots such as `////home/user/.bashrc`. `node-tar` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. `///home/user/.bashrc`) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom `onentry` method which sanitizes the `entry.path` or a `filter` method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar.
Impacted products
Vendor Product Version
npm node-tar Version: < 3.2.2
Version: >= 4.0.0, < 4.4.14
Version: >= 5.0.0, < 5.0.6
Version: >= 6.0.0, < 6.1.1
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-03T23:33:56.070Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://www.npmjs.com/package/tar",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://github.com/npm/node-tar/commit/1f036ca23f64a547bdd6c79c1a44bc62e8115da4",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://www.npmjs.com/advisories/1770",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://www.oracle.com/security-alerts/cpuoct2021.html",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "node-tar",
               vendor: "npm",
               versions: [
                  {
                     status: "affected",
                     version: "< 3.2.2",
                  },
                  {
                     status: "affected",
                     version: ">= 4.0.0, < 4.4.14",
                  },
                  {
                     status: "affected",
                     version: ">= 5.0.0, < 5.0.6",
                  },
                  {
                     status: "affected",
                     version: ">= 6.0.0, < 6.1.1",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "The npm package \"tar\" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example `/home/user/.bashrc` would turn into `home/user/.bashrc`. This logic was insufficient when file paths contained repeated path roots such as `////home/user/.bashrc`. `node-tar` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. `///home/user/.bashrc`) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom `onentry` method which sanitizes the `entry.path` or a `filter` method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar.",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "LOW",
                  attackVector: "LOCAL",
                  availabilityImpact: "NONE",
                  baseScore: 8.2,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "HIGH",
                  privilegesRequired: "NONE",
                  scope: "CHANGED",
                  userInteraction: "REQUIRED",
                  vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
                  version: "3.1",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-22",
                     description: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2022-03-08T14:07:16",
            orgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
            shortName: "GitHub_M",
         },
         references: [
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://www.npmjs.com/package/tar",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/npm/node-tar/commit/1f036ca23f64a547bdd6c79c1a44bc62e8115da4",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://www.npmjs.com/advisories/1770",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://www.oracle.com/security-alerts/cpuoct2021.html",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf",
            },
         ],
         source: {
            advisory: "GHSA-3jfq-g458-7qm9",
            discovery: "UNKNOWN",
         },
         title: "Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization",
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "security-advisories@github.com",
               ID: "CVE-2021-32804",
               STATE: "PUBLIC",
               TITLE: "Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "node-tar",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "< 3.2.2",
                                       },
                                       {
                                          version_value: ">= 4.0.0, < 4.4.14",
                                       },
                                       {
                                          version_value: ">= 5.0.0, < 5.0.6",
                                       },
                                       {
                                          version_value: ">= 6.0.0, < 6.1.1",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "npm",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "The npm package \"tar\" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example `/home/user/.bashrc` would turn into `home/user/.bashrc`. This logic was insufficient when file paths contained repeated path roots such as `////home/user/.bashrc`. `node-tar` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. `///home/user/.bashrc`) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom `onentry` method which sanitizes the `entry.path` or a `filter` method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar.",
                  },
               ],
            },
            impact: {
               cvss: {
                  attackComplexity: "LOW",
                  attackVector: "LOCAL",
                  availabilityImpact: "NONE",
                  baseScore: 8.2,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "HIGH",
                  privilegesRequired: "NONE",
                  scope: "CHANGED",
                  userInteraction: "REQUIRED",
                  vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
                  version: "3.1",
               },
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://www.npmjs.com/package/tar",
                     refsource: "MISC",
                     url: "https://www.npmjs.com/package/tar",
                  },
                  {
                     name: "https://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9",
                     refsource: "CONFIRM",
                     url: "https://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9",
                  },
                  {
                     name: "https://github.com/npm/node-tar/commit/1f036ca23f64a547bdd6c79c1a44bc62e8115da4",
                     refsource: "MISC",
                     url: "https://github.com/npm/node-tar/commit/1f036ca23f64a547bdd6c79c1a44bc62e8115da4",
                  },
                  {
                     name: "https://www.npmjs.com/advisories/1770",
                     refsource: "MISC",
                     url: "https://www.npmjs.com/advisories/1770",
                  },
                  {
                     name: "https://www.oracle.com/security-alerts/cpuoct2021.html",
                     refsource: "MISC",
                     url: "https://www.oracle.com/security-alerts/cpuoct2021.html",
                  },
                  {
                     name: "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf",
                     refsource: "CONFIRM",
                     url: "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf",
                  },
               ],
            },
            source: {
               advisory: "GHSA-3jfq-g458-7qm9",
               discovery: "UNKNOWN",
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
      assignerShortName: "GitHub_M",
      cveId: "CVE-2021-32804",
      datePublished: "2021-08-03T19:10:12",
      dateReserved: "2021-05-12T00:00:00",
      dateUpdated: "2024-08-03T23:33:56.070Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2021-38511
Vulnerability from cvelistv5
Published
2021-08-10 22:12
Modified
2024-08-04 01:44
Severity ?
Summary
An issue was discovered in the tar crate before 0.4.36 for Rust. When symlinks are present in a TAR archive, extraction can create arbitrary directories via .. traversal.
Impacted products
Vendor Product Version
n/a n/a Version: n/a
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-04T01:44:23.549Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://rustsec.org/advisories/RUSTSEC-2021-0080.html",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://raw.githubusercontent.com/rustsec/advisory-db/main/crates/tar/RUSTSEC-2021-0080.md",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "An issue was discovered in the tar crate before 0.4.36 for Rust. When symlinks are present in a TAR archive, extraction can create arbitrary directories via .. traversal.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2021-08-10T22:12:46",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://rustsec.org/advisories/RUSTSEC-2021-0080.html",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://raw.githubusercontent.com/rustsec/advisory-db/main/crates/tar/RUSTSEC-2021-0080.md",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "cve@mitre.org",
               ID: "CVE-2021-38511",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "n/a",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "n/a",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "n/a",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "An issue was discovered in the tar crate before 0.4.36 for Rust. When symlinks are present in a TAR archive, extraction can create arbitrary directories via .. traversal.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "n/a",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://rustsec.org/advisories/RUSTSEC-2021-0080.html",
                     refsource: "MISC",
                     url: "https://rustsec.org/advisories/RUSTSEC-2021-0080.html",
                  },
                  {
                     name: "https://raw.githubusercontent.com/rustsec/advisory-db/main/crates/tar/RUSTSEC-2021-0080.md",
                     refsource: "MISC",
                     url: "https://raw.githubusercontent.com/rustsec/advisory-db/main/crates/tar/RUSTSEC-2021-0080.md",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2021-38511",
      datePublished: "2021-08-10T22:12:46",
      dateReserved: "2021-08-10T00:00:00",
      dateUpdated: "2024-08-04T01:44:23.549Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2021-32803
Vulnerability from cvelistv5
Published
2021-08-03 19:05
Modified
2024-08-03 23:33
Summary
The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. `node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary `stat` calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the `node-tar` directory cache. When a directory is present in the directory cache, subsequent calls to mkdir for that directory are skipped. However, this is also where `node-tar` checks for symlinks occur. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass `node-tar` symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.3, 4.4.15, 5.0.7 and 6.1.2.
Impacted products
Vendor Product Version
npm node-tar Version: < 3.2.3
Version: >= 4.0.0, < 4.4.15
Version: >= 5.0.0, < 5.0.7
Version: >= 6.0.0, < 6.1.2
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-03T23:33:56.082Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://github.com/npm/node-tar/security/advisories/GHSA-r628-mhmh-qjhw",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://github.com/npm/node-tar/commit/9dbdeb6df8e9dbd96fa9e84341b9d74734be6c20",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://www.npmjs.com/advisories/1771",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://www.npmjs.com/package/tar",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://www.oracle.com/security-alerts/cpuoct2021.html",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "node-tar",
               vendor: "npm",
               versions: [
                  {
                     status: "affected",
                     version: "< 3.2.3",
                  },
                  {
                     status: "affected",
                     version: ">= 4.0.0, < 4.4.15",
                  },
                  {
                     status: "affected",
                     version: ">= 5.0.0, < 5.0.7",
                  },
                  {
                     status: "affected",
                     version: ">= 6.0.0, < 6.1.2",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "The npm package \"tar\" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. `node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary `stat` calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the `node-tar` directory cache. When a directory is present in the directory cache, subsequent calls to mkdir for that directory are skipped. However, this is also where `node-tar` checks for symlinks occur. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass `node-tar` symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.3, 4.4.15, 5.0.7 and 6.1.2.",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "LOW",
                  attackVector: "LOCAL",
                  availabilityImpact: "NONE",
                  baseScore: 8.2,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "HIGH",
                  privilegesRequired: "NONE",
                  scope: "CHANGED",
                  userInteraction: "REQUIRED",
                  vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
                  version: "3.1",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-22",
                     description: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2022-03-08T14:06:49",
            orgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
            shortName: "GitHub_M",
         },
         references: [
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://github.com/npm/node-tar/security/advisories/GHSA-r628-mhmh-qjhw",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/npm/node-tar/commit/9dbdeb6df8e9dbd96fa9e84341b9d74734be6c20",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://www.npmjs.com/advisories/1771",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://www.npmjs.com/package/tar",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://www.oracle.com/security-alerts/cpuoct2021.html",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf",
            },
         ],
         source: {
            advisory: "GHSA-r628-mhmh-qjhw",
            discovery: "UNKNOWN",
         },
         title: "Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning",
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "security-advisories@github.com",
               ID: "CVE-2021-32803",
               STATE: "PUBLIC",
               TITLE: "Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "node-tar",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "< 3.2.3",
                                       },
                                       {
                                          version_value: ">= 4.0.0, < 4.4.15",
                                       },
                                       {
                                          version_value: ">= 5.0.0, < 5.0.7",
                                       },
                                       {
                                          version_value: ">= 6.0.0, < 6.1.2",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "npm",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "The npm package \"tar\" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. `node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary `stat` calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the `node-tar` directory cache. When a directory is present in the directory cache, subsequent calls to mkdir for that directory are skipped. However, this is also where `node-tar` checks for symlinks occur. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass `node-tar` symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.3, 4.4.15, 5.0.7 and 6.1.2.",
                  },
               ],
            },
            impact: {
               cvss: {
                  attackComplexity: "LOW",
                  attackVector: "LOCAL",
                  availabilityImpact: "NONE",
                  baseScore: 8.2,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "HIGH",
                  privilegesRequired: "NONE",
                  scope: "CHANGED",
                  userInteraction: "REQUIRED",
                  vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
                  version: "3.1",
               },
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://github.com/npm/node-tar/security/advisories/GHSA-r628-mhmh-qjhw",
                     refsource: "CONFIRM",
                     url: "https://github.com/npm/node-tar/security/advisories/GHSA-r628-mhmh-qjhw",
                  },
                  {
                     name: "https://github.com/npm/node-tar/commit/9dbdeb6df8e9dbd96fa9e84341b9d74734be6c20",
                     refsource: "MISC",
                     url: "https://github.com/npm/node-tar/commit/9dbdeb6df8e9dbd96fa9e84341b9d74734be6c20",
                  },
                  {
                     name: "https://www.npmjs.com/advisories/1771",
                     refsource: "MISC",
                     url: "https://www.npmjs.com/advisories/1771",
                  },
                  {
                     name: "https://www.npmjs.com/package/tar",
                     refsource: "MISC",
                     url: "https://www.npmjs.com/package/tar",
                  },
                  {
                     name: "https://www.oracle.com/security-alerts/cpuoct2021.html",
                     refsource: "MISC",
                     url: "https://www.oracle.com/security-alerts/cpuoct2021.html",
                  },
                  {
                     name: "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf",
                     refsource: "CONFIRM",
                     url: "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf",
                  },
               ],
            },
            source: {
               advisory: "GHSA-r628-mhmh-qjhw",
               discovery: "UNKNOWN",
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
      assignerShortName: "GitHub_M",
      cveId: "CVE-2021-32803",
      datePublished: "2021-08-03T19:05:12",
      dateReserved: "2021-05-12T00:00:00",
      dateUpdated: "2024-08-03T23:33:56.082Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}