CVE-2018-20834
published 2019-04-30CVE-2018-20834: A vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue exists when extracting a tarball…
PriorityP342high7.5CVSS 3.0
AVNACLPRNUINSUCNIHAN
EPSS
3.15%
86.3th percentile
A vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content. A patch has been applied to node-tar v2.2.2).
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | node-tar | < node-tar 4.4.4+ds1-2 (bookworm) | node-tar 4.4.4+ds1-2 (bookworm) |
| gnu | tar | >= 0 < 2.2.2 | 2.2.2 |
| gnu | tar | >= 3.0.0 < 4.4.2 | 4.4.2 |
| isaacs | node-tar | >= 0 < 4.4.4+ds1-2 | 4.4.4+ds1-2 |
| isaacs | node-tar | >= 0 < 4.4.4+ds1-2 | 4.4.4+ds1-2 |
| isaacs | node-tar | >= 0 < 4.4.4+ds1-2 | 4.4.4+ds1-2 |
| isaacs | node-tar | >= 0 < 4.4.4+ds1-2 | 4.4.4+ds1-2 |
| isaacs | tar | < 2.2.2 | 2.2.2 |
| isaacs | tar | >= 3.0.0 < 4.4.2 | 4.4.2 |
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:P
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Arbitrary File Overwrite in tar
osv·2019-05-01
CVE-2018-20834 [HIGH] Arbitrary File Overwrite in tar
Arbitrary File Overwrite in tar
Versions of `tar` prior to 4.4.2 for 4.x and 2.2.2 for 2.x are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink will overwrite the system's file with the contents of the extracted file.
## Recommendation
For tar 4.x, upgrade to version 4.4.2 or later.
For tar 2.x, upgrade to version 2.2.2 or later.
GHSA
Arbitrary File Overwrite in tar
ghsa·2019-05-01
CVE-2018-20834 [HIGH] CWE-59 Arbitrary File Overwrite in tar
Arbitrary File Overwrite in tar
Versions of `tar` prior to 4.4.2 for 4.x and 2.2.2 for 2.x are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink will overwrite the system's file with the contents of the extracted file.
## Recommendation
For tar 4.x, upgrade to version 4.4.2 or later.
For tar 2.x, upgrade to version 2.2.2 or later.
OSV
CVE-2018-20834: A vulnerability was found in node-tar before version 4
osv·2019-04-30·CVSS 7.5
CVE-2018-20834 [HIGH] CVE-2018-20834: A vulnerability was found in node-tar before version 4
A vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content. A patch has been applied to node-tar v2.2.2).
Red Hat
nodejs-tar: Arbitrary file overwrites when extracting tarballs containing a hard-link
vendor_redhat·2018-04-30·CVSS 7.5
CVE-2018-20834 [HIGH] CWE-59 nodejs-tar: Arbitrary file overwrites when extracting tarballs containing a hard-link
nodejs-tar: Arbitrary file overwrites when extracting tarballs containing a hard-link
A vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content. A patch has been applied to node-tar v2.2.2).
A flaw was found in nodejs-tar in versions prior to 4.4.2. An arbitrary file overwrite can occur when extracting tarballs containing a hard-link to a file that already exists in the system. Further, a file that matches the hard-link may overwrite the system's files with the contents of the extracted file. The
Debian
CVE-2018-20834: node-tar - A vulnerability was found in node-tar before version 4.4.2 (excluding version 2....
vendor_debian·2018·CVSS 7.5
CVE-2018-20834 [HIGH] CVE-2018-20834: node-tar - A vulnerability was found in node-tar before version 4.4.2 (excluding version 2....
A vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content. A patch has been applied to node-tar v2.2.2).
Scope: local
bookworm: resolved (fixed in 4.4.4+ds1-2)
bullseye: resolved (fixed in 4.4.4+ds1-2)
forky: resolved (fixed in 4.4.4+ds1-2)
sid: resolved (fixed in 4.4.4+ds1-2)
trixie: resolved (fixed in 4.4.4+ds1-2)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2018-20834 nodejs-tar: Arbitrary file overwrites when extracting tarballs containing a hard-link
bugzilla·2019-04-23·CVSS 7.5
CVE-2018-20834 [HIGH] CVE-2018-20834 nodejs-tar: Arbitrary file overwrites when extracting tarballs containing a hard-link
CVE-2018-20834 nodejs-tar: Arbitrary file overwrites when extracting tarballs containing a hard-link
A vulnerability was found in nodejs-tar before version 4.4.2. An Arbitrary File Overwrite when extracting tarballs containing a hard-link to a file that already exists in the system, and a file that matches the hard-link may overwrite system's files with the contents of the extracted file.
References:
https://hackerone.com/reports/344595
Upstream Patch:
https://github.com/npm/node-tar/commit/b0c58433c22f5e7fe8b1c76373f27e3f81dcd4c8
Discussion:
Created nodejs-tar tracking bugs for this issue:
Affects: epel-all [bug 1702339]
Affects: fedora-all [bug 1702340]
---
Raised the CVSS score to CIA:HHH as the specially crafted tar file could overwrite files that would allow an attacker to ex
Bugzilla
CVE-2018-20834 nodejs-tar: Arbitrary file overwrites when extracting tarballs containing a hard-link [epel-all]
bugzilla·2019-04-23·CVSS 7.5
CVE-2018-20834 [HIGH] CVE-2018-20834 nodejs-tar: Arbitrary file overwrites when extracting tarballs containing a hard-link [epel-all]
CVE-2018-20834 nodejs-tar: Arbitrary file overwrites when extracting tarballs containing a hard-link [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue aff
Bugzilla
CVE-2018-20834 nodejs-tar: Arbitrary file overwrites when extracting tarballs containing a hard-link [fedora-all]
bugzilla·2019-04-23·CVSS 7.5
CVE-2018-20834 [HIGH] CVE-2018-20834 nodejs-tar: Arbitrary file overwrites when extracting tarballs containing a hard-link [fedora-all]
CVE-2018-20834 nodejs-tar: Arbitrary file overwrites when extracting tarballs containing a hard-link [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue
https://access.redhat.com/errata/RHSA-2019:1821https://github.com/npm/node-tar/commit/7ecef07da6a9e72cc0c4d0c9c6a8e85b6b52395dhttps://github.com/npm/node-tar/commit/b0c58433c22f5e7fe8b1c76373f27e3f81dcd4c8https://github.com/npm/node-tar/commits/v2.2.2https://github.com/npm/node-tar/compare/58a8d43...a5f7779https://hackerone.com/reports/344595https://nvd.nist.gov/vuln/detail/CVE-2018-20834https://access.redhat.com/errata/RHSA-2019:1821https://github.com/npm/node-tar/commit/7ecef07da6a9e72cc0c4d0c9c6a8e85b6b52395dhttps://github.com/npm/node-tar/commit/b0c58433c22f5e7fe8b1c76373f27e3f81dcd4c8https://github.com/npm/node-tar/commits/v2.2.2https://github.com/npm/node-tar/compare/58a8d43...a5f7779https://hackerone.com/reports/344595https://nvd.nist.gov/vuln/detail/CVE-2018-20834
2019-04-30
Published