CVE-2021-32803Path Traversal in Node-tar

CWE-22Path TraversalCWE-59Link FollowingCWE-23Relative Path Traversal8 documents7 sources
Severity
8.1HIGHNVD
CNA8.2
EPSS
0.2%
top 63.09%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
NPM Node-tarIsaacs Node-tarSiemens Sinec Infrastructure Network Services+3 more
Timeline
PublishedAug 3
Latest updateFeb 11

Description

The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. `node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary `stat` calls to determine whether a given path is a directory, paths are cached

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:HExploitability: 2.8 | Impact: 5.2

Affected Packages6 packages

CVEListV5npm/node-tar< 3.2.2+7
Debianisaacs/node-tar< 6.0.5+ds1+~cs11.3.9-1+deb11u1+3
npmgnu/tar3.0.03.2.3+3
NVDtar_project/tar4.0.04.4.15+3

Patches

Patch: cert-portal.siemens.comPatch: github.comPatch: www.oracle.com

🔴Vulnerability Details

4
GHSA
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning2021-08-03
CVEList
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning2021-08-03
OSV
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning2021-08-03
OSV
CVE-2021-32803: The npm package "tar" (aka node-tar) before versions 62021-08-03

📋Vendor Advisories

3
Ubuntu
Tar for Node.js vulnerability2022-02-11
Red Hat
nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite2021-08-03
Debian
CVE-2021-32803: node-tar - The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3...2021
CVE-2021-32803 — Path Traversal in NPM Node-tar | cvebase