CVE-2015-8860
published 2017-01-23CVE-2015-8860: The tar package before 2.0.0 for Node.js allows remote attackers to write to arbitrary files via a symlink attack in an archive.
PriorityP347high7.5CVSS 3.0
AVNACLPRNUINSUCNIHAN
EPSS
4.91%
91.0th percentile
The tar package before 2.0.0 for Node.js allows remote attackers to write to arbitrary files via a symlink attack in an archive.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | node-tar | < node-tar 2.2.1-1 (bookworm) | node-tar 2.2.1-1 (bookworm) |
| gnu | tar | >= 0 < 2.0.0 | 2.0.0 |
| isaacs | node-tar | >= 0 < 2.2.1-1 | 2.2.1-1 |
| isaacs | node-tar | >= 0 < 2.2.1-1 | 2.2.1-1 |
| isaacs | node-tar | >= 0 < 2.2.1-1 | 2.2.1-1 |
| isaacs | node-tar | >= 0 < 2.2.1-1 | 2.2.1-1 |
| nodejs | node.js | <= 1.8.4 | — |
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
osv7.5HIGH
vendor_debian7.5LOW
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
node-tar vulnerability
vendor_ubuntu·2021-03-15
CVE-2015-8860 node-tar vulnerability
Title: node-tar vulnerability
Summary: node-tar could be made to write arbitrary files to the filesystem if it
opened a specially crafted tar archive.
It was discovered that node-tar mishandled certain tar archives. An
attacker could use this vulnerability to write arbitrary files to the
filesystem.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
nodejs-tar: insecure processing of symbolic links during package processing
vendor_redhat·2015-03-27·CVSS 7.5
CVE-2015-8860 [HIGH] CWE-59 nodejs-tar: insecure processing of symbolic links during package processing
nodejs-tar: insecure processing of symbolic links during package processing
The tar package before 2.0.0 for Node.js allows remote attackers to write to arbitrary files via a symlink attack in an archive.
A flaw was found in the way nodejs-tar, a Node.js module for reading and writing of tar archives, handled symbolic links when processing NPM packages. An attacker could potentially use this flaw to rewrite arbitrary files on the system.
Package: nodejs010-nodejs-tar (Red Hat Software Collections) - Affected
Debian
CVE-2015-8860: node-tar - The tar package before 2.0.0 for Node.js allows remote attackers to write to arb...
vendor_debian·2015·CVSS 7.5
CVE-2015-8860 [HIGH] CVE-2015-8860: node-tar - The tar package before 2.0.0 for Node.js allows remote attackers to write to arb...
The tar package before 2.0.0 for Node.js allows remote attackers to write to arbitrary files via a symlink attack in an archive.
Scope: local
bookworm: resolved (fixed in 2.2.1-1)
bullseye: resolved (fixed in 2.2.1-1)
forky: resolved (fixed in 2.2.1-1)
sid: resolved (fixed in 2.2.1-1)
trixie: resolved (fixed in 2.2.1-1)
GHSA
Symlink Arbitrary File Overwrite in tar
ghsa·2017-10-24
CVE-2015-8860 [HIGH] CWE-59 Symlink Arbitrary File Overwrite in tar
Symlink Arbitrary File Overwrite in tar
Versions of `tar` prior to 2.0.0 are affected by an arbitrary file write vulnerability. The vulnerability occurs because `tar` does not verify that extracted symbolic links to not resolve to targets outside of the extraction root directory.
## Recommendation
Update to version 2.0.0 or later
OSV
Symlink Arbitrary File Overwrite in tar
osv·2017-10-24
CVE-2015-8860 [HIGH] Symlink Arbitrary File Overwrite in tar
Symlink Arbitrary File Overwrite in tar
Versions of `tar` prior to 2.0.0 are affected by an arbitrary file write vulnerability. The vulnerability occurs because `tar` does not verify that extracted symbolic links to not resolve to targets outside of the extraction root directory.
## Recommendation
Update to version 2.0.0 or later
OSV
CVE-2015-8860: The tar package before 2
osv·2017-01-23·CVSS 7.5
CVE-2015-8860 [HIGH] CVE-2015-8860: The tar package before 2
The tar package before 2.0.0 for Node.js allows remote attackers to write to arbitrary files via a symlink attack in an archive.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2015-8860 nodejs-tar: insecure processing of symbolic links during package processing [epel-all]
bugzilla·2015-04-07·CVSS 7.5
CVE-2015-8860 [HIGH] CVE-2015-8860 nodejs-tar: insecure processing of symbolic links during package processing [epel-all]
CVE-2015-8860 nodejs-tar: insecure processing of symbolic links during package processing [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects mul
Bugzilla
CVE-2015-8860 nodejs-tar: insecure processing of symbolic links during package processing [fedora-all]
bugzilla·2015-04-07·CVSS 7.5
CVE-2015-8860 [HIGH] CVE-2015-8860 nodejs-tar: insecure processing of symbolic links during package processing [fedora-all]
CVE-2015-8860 nodejs-tar: insecure processing of symbolic links during package processing [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multip
Bugzilla
CVE-2015-8860 nodejs-tar: insecure processing of symbolic links during package processing
bugzilla·2015-04-07·CVSS 7.5
CVE-2015-8860 [HIGH] CVE-2015-8860 nodejs-tar: insecure processing of symbolic links during package processing
CVE-2015-8860 nodejs-tar: insecure processing of symbolic links during package processing
A flaw was found in the way nodejs-tar, a Node.js module for reading and writing of tar archives, handled symbolic links when processing npm packages. An attacker could potentially use this flaw to rewrite arbitrary files on the system.
The fix normalizes symbolic links that point to targets outside the extraction root. This prevents packages containing symbolic links from overwriting targets outside the expected paths for a package.
Upstream announcement: https://github.com/npm/npm/releases/tag/v2.7.5
Upstream fix: https://github.com/npm/npm/commit/300834e91a4e2a95fb7fb59c309e7c3fc91d2312
Discussion:
Created nodejs-tar tracking bugs for this issue:
Affects: fedora-all [bug 1209503]
Affects: epe
2017-01-23
Published