CVE-2021-32803
published 2021-08-03CVE-2021-32803: The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient…
PriorityP348high8.1CVSS 3.1
AVNACLPRNUIRSUCNIHAH
EPSS
7.80%
93.9th percentile
The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. `node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary `stat` calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the `node-tar` directory cache. When a directory is present in the directory cache, subsequent calls to mkdir for that directory are skipped. However, this is also where `node-tar` checks for symlinks occur. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass `node-tar` symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.3, 4.4.15, 5.0.7 and 6.1.2.
Affected
28 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | node-tar | < node-tar 6.1.7+~cs11.3.10-1 (bookworm) | node-tar 6.1.7+~cs11.3.10-1 (bookworm) |
| gnu | tar | >= 0 < 3.2.2 | 3.2.2 |
| gnu | tar | >= 3.0.0 < 3.2.3 | 3.2.3 |
| gnu | tar | >= 4.0.0 < 4.4.14 | 4.4.14 |
| gnu | tar | >= 4.0.0 < 4.4.15 | 4.4.15 |
| gnu | tar | >= 5.0.0 < 5.0.6 | 5.0.6 |
| gnu | tar | >= 5.0.0 < 5.0.7 | 5.0.7 |
| gnu | tar | >= 6.0.0 < 6.1.1 | 6.1.1 |
| gnu | tar | >= 6.0.0 < 6.1.2 | 6.1.2 |
| isaacs | node-tar | >= 0 < 6.0.5+ds1+~cs11.3.9-1+deb11u1 | 6.0.5+ds1+~cs11.3.9-1+deb11u1 |
| isaacs | node-tar | >= 0 < 6.1.7+~cs11.3.10-1 | 6.1.7+~cs11.3.10-1 |
| isaacs | node-tar | >= 0 < 6.1.7+~cs11.3.10-1 | 6.1.7+~cs11.3.10-1 |
| isaacs | node-tar | >= 0 < 6.1.7+~cs11.3.10-1 | 6.1.7+~cs11.3.10-1 |
| npm | node-tar | < 3.2.2 | 3.2.2 |
| npm | node-tar | — | — |
| npm | node-tar | — | — |
| npm | node-tar | — | — |
| oracle | graalvm | — | — |
| oracle | graalvm | — | — |
| siemens | sinec_infrastructure_network_services | < 1.0.1.1 | 1.0.1.1 |
| tar_project | tar | < 3.2.3 | 3.2.3 |
| tar_project | tar | < 3.2.2 | 3.2.2 |
| tar_project | tar | >= 4.0.0 < 4.4.15 | 4.4.15 |
| tar_project | tar | >= 4.0.0 < 4.4.14 | 4.4.14 |
| tar_project | tar | >= 5.0.0 < 5.0.7 | 5.0.7 |
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
nvdv2.05.8MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:P
ghsa8.1HIGH
osv8.1HIGH
vendor_debian8.2HIGH
vendor_redhat8.2HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization
ghsa·2021-08-03·CVSS 8.1
CVE-2021-32804 [HIGH] CWE-22 Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization
Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization
### Impact
Arbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution
`node-tar` aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example `/home/user/.bashrc` would turn into `home/user/.bashrc`.
This logic was insufficient when file paths contained repeated path roots such as `////home/user/.bashrc`. `node-tar` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. `///home/user/.bashrc`) would still
GHSA
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning
ghsa·2021-08-03
CVE-2021-32803 [HIGH] CWE-22 Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning
### Impact
Arbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution
`node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary `stat` calls to determine whether a given path is a directory, paths are cached when directories are created.
This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the `node-tar` directory cache. When a
OSV
Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization
osv·2021-08-03·CVSS 8.1
CVE-2021-32804 [HIGH] Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization
Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization
### Impact
Arbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution
`node-tar` aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example `/home/user/.bashrc` would turn into `home/user/.bashrc`.
This logic was insufficient when file paths contained repeated path roots such as `////home/user/.bashrc`. `node-tar` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. `///home/user/.bashrc`) would still
OSV
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning
osv·2021-08-03
CVE-2021-32803 [HIGH] Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning
### Impact
Arbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution
`node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary `stat` calls to determine whether a given path is a directory, paths are cached when directories are created.
This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the `node-tar` directory cache. When a
OSV
CVE-2021-32804: The npm package "tar" (aka node-tar) before versions 6
osv·2021-08-03·CVSS 8.1
CVE-2021-32804 [HIGH] CVE-2021-32804: The npm package "tar" (aka node-tar) before versions 6
The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example `/home/user/.bashrc` would turn into `home/user/.bashrc`. This logic was insufficient when file paths contained repeated path roots such as `////home/user/.bashrc`. `node-tar` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. `///home/user/.bashrc`)
OSV
CVE-2021-32803: The npm package "tar" (aka node-tar) before versions 6
osv·2021-08-03·CVSS 8.1
CVE-2021-32803 [HIGH] CVE-2021-32803: The npm package "tar" (aka node-tar) before versions 6
The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. `node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary `stat` calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the `node-tar` directory cache. When a directory is pre
CISA ICS
Siemens SINEC INS
cisa_ics·2022-03-10·CVSS 5.9
[MEDIUM] Siemens SINEC INS
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Siemens SINEC INS
Last RevisedMarch 10, 2022
Alert CodeICSA-22-069-09
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Siemens
- Equipment: SINEC INS
- Vulnerability: Using Components with Known Vulnerabilities
## 2. RISK EVALUATION
Successful exploitation of this vulnerability in third-party components could allow an attacker to interfere with the affected product in various ways.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
Siemens reports this vulnerability affects the following SINEC INS (Infrastructure Netw
Ubuntu
Tar for Node.js vulnerability
vendor_ubuntu·2022-02-11
CVE-2021-32803 Tar for Node.js vulnerability
Title: Tar for Node.js vulnerability
Summary: Tar for Node.js would allow unintended access to files if it received specially
crafted input.
It was discovered that Tar for Node.js did not properly sanitize path inputs.
An attacker could possibly use this issue to read arbitrary files, resulting
in a directory traversal attack.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite
vendor_redhat·2021-08-03·CVSS 8.2
CVE-2021-32803 [HIGH] CWE-22 nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite
nodejs-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite
The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. `node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary `stat` calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the
Red Hat
nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite
vendor_redhat·2021-08-03·CVSS 8.2
CVE-2021-32804 [HIGH] CWE-22 nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite
nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite
The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example `/home/user/.bashrc` would turn into `home/user/.bashrc`. This logic was insufficient when file paths contained repeated path roots such as `////home/user/.bashrc`. `node-tar` would only strip a single path root from such paths. When giv
Debian
CVE-2021-32803: node-tar - The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3...
vendor_debian·2021·CVSS 8.2
CVE-2021-32803 [HIGH] CVE-2021-32803: node-tar - The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3...
The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. `node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary `stat` calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the `node-tar` directory cache. When a directory is pre
Debian
CVE-2021-32804: node-tar - The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3...
vendor_debian·2021·CVSS 8.2
CVE-2021-32804 [HIGH] CVE-2021-32804: node-tar - The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3...
The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example `/home/user/.bashrc` would turn into `home/user/.bashrc`. This logic was insufficient when file paths contained repeated path roots such as `////home/user/.bashrc`. `node-tar` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. `///home/user/.bashrc`)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdfhttps://github.com/npm/node-tar/commit/9dbdeb6df8e9dbd96fa9e84341b9d74734be6c20https://github.com/npm/node-tar/security/advisories/GHSA-r628-mhmh-qjhwhttps://www.npmjs.com/advisories/1771https://www.npmjs.com/package/tarhttps://www.oracle.com/security-alerts/cpuoct2021.htmlhttps://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdfhttps://github.com/npm/node-tar/commit/9dbdeb6df8e9dbd96fa9e84341b9d74734be6c20https://github.com/npm/node-tar/security/advisories/GHSA-r628-mhmh-qjhwhttps://www.npmjs.com/advisories/1771https://www.npmjs.com/package/tarhttps://www.oracle.com/security-alerts/cpuoct2021.html
2021-08-03
Published