CVE-2018-20990Link Following in Project TAR

CWE-59Link Following7 documents5 sources
Severity
7.5HIGHNVD
EPSS
0.3%
top 46.67%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
TAR Project TARGNU TAR
Timeline
PublishedAug 26
Latest updateAug 25

Description

An issue was discovered in the tar crate before 0.4.16 for Rust. Arbitrary file overwrite can occur via a symlink or hardlink in a TAR archive.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

crates.iognu/tar0.0.0-00.4.16+1
NVDtar_project/tar< 0.4.16

🔴Vulnerability Details

5
OSV
Arbitrary file overwrite in tar-rs2021-08-25
GHSA
Arbitrary file overwrite in tar-rs2021-08-25
CVEList
CVE-2018-20990: An issue was discovered in the tar crate before 02019-08-26
OSV
CVE-2018-20990: An issue was discovered in the tar crate before 02019-08-26
OSV
Links in archives can overwrite any existing file2018-06-29

📋Vendor Advisories

1
Debian
CVE-2018-20990: rust-tar - An issue was discovered in the tar crate before 0.4.16 for Rust. Arbitrary file ...2018
CVE-2018-20990 — Link Following in TAR Project TAR | cvebase