CVE-2018-20834 — Link Following in TAR

CWE-59 — Link Following10 documents7 sources

Severity

7.5HIGHNVD

EPSS

0.7%

top 27.51%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Isaacs Node-tar Isaacs TAR GNU TAR

Timeline

PublishedApr 30

Latest updateMay 1

Description

A vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content. A patch has been applied to node-tar v2.2.2).

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶Debianisaacs/node-tar< 4.4.4+ds1-2+3

▶npmgnu/tar3.0.0 — 4.4.2+1

▶NVDisaacs/tar3.0.0 — 4.4.2+1

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Arbitrary File Overwrite in tar↗2019-05-01

▶

GHSA

Arbitrary File Overwrite in tar↗2019-05-01

▶

OSV

CVE-2018-20834: A vulnerability was found in node-tar before version 4↗2019-04-30

▶

CVEList

CVE-2018-20834: A vulnerability was found in node-tar before version 4↗2019-04-30

▶

📋Vendor Advisories

Red Hat

nodejs-tar: Arbitrary file overwrites when extracting tarballs containing a hard-link↗2018-04-30

▶

Debian

CVE-2018-20834: node-tar - A vulnerability was found in node-tar before version 4.4.2 (excluding version 2....↗2018

▶

💬Community

Bugzilla

CVE-2018-20834 nodejs-tar: Arbitrary file overwrites when extracting tarballs containing a hard-link↗2019-04-23

▶

Bugzilla

CVE-2018-20834 nodejs-tar: Arbitrary file overwrites when extracting tarballs containing a hard-link [epel-all]↗2019-04-23

▶

Bugzilla

CVE-2018-20834 nodejs-tar: Arbitrary file overwrites when extracting tarballs containing a hard-link [fedora-all]↗2019-04-23

▶