CVE-2015-8860

CWE-5911 documents8 sources
Severity
7.5HIGH
EPSS
0.4%
top 41.33%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Nodejs Node.js
Timeline
PublishedJan 23
Latest updateMar 15

Description

The tar package before 2.0.0 for Node.js allows remote attackers to write to arbitrary files via a symlink attack in an archive.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

â–¶Debiannode-tar< 2.2.1-1+3
â–¶NVDnodejs/node.js1.8.4
â–¶npmtar< 2.0.0

🔴Vulnerability Details

4
GHSA
Symlink Arbitrary File Overwrite in tar↗2017-10-24
â–¶
OSV
Symlink Arbitrary File Overwrite in tar↗2017-10-24
â–¶
CVEList
CVE-2015-8860: The tar package before 2↗2017-01-23
â–¶
OSV
CVE-2015-8860: The tar package before 2↗2017-01-23
â–¶

📋Vendor Advisories

3
Ubuntu
node-tar vulnerability↗2021-03-15
â–¶
Red Hat
nodejs-tar: insecure processing of symbolic links during package processing↗2015-03-27
â–¶
Debian
CVE-2015-8860: node-tar - The tar package before 2.0.0 for Node.js allows remote attackers to write to arb...↗2015
â–¶

💬Community

3
Bugzilla
CVE-2015-8860 nodejs-tar: insecure processing of symbolic links during package processing [epel-all]↗2015-04-07
â–¶
Bugzilla
CVE-2015-8860 nodejs-tar: insecure processing of symbolic links during package processing [fedora-all]↗2015-04-07
â–¶
Bugzilla
CVE-2015-8860 nodejs-tar: insecure processing of symbolic links during package processing↗2015-04-07
â–¶
CVE-2015-8860 (HIGH CVSS 7.5) | The tar package before 2.0.0 for No | cvebase.io