CVE-2021-32804
published 2021-08-03CVE-2021-32804: The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient…
PriorityP351high8.1CVSS 3.1
AVNACLPRNUIRSUCNIHAH
EPSS
15.01%
96.3th percentile
The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example `/home/user/.bashrc` would turn into `home/user/.bashrc`. This logic was insufficient when file paths contained repeated path roots such as `////home/user/.bashrc`. `node-tar` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. `///home/user/.bashrc`) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom `onentry` method which sanitizes the `entry.path` or a `filter` method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar.
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | node-tar | < node-tar 6.1.7+~cs11.3.10-1 (bookworm) | node-tar 6.1.7+~cs11.3.10-1 (bookworm) |
| gnu | tar | >= 0 < 3.2.2 | 3.2.2 |
| gnu | tar | >= 4.0.0 < 4.4.14 | 4.4.14 |
| gnu | tar | >= 5.0.0 < 5.0.6 | 5.0.6 |
| gnu | tar | >= 6.0.0 < 6.1.1 | 6.1.1 |
| isaacs | node-tar | >= 0 < 6.0.5+ds1+~cs11.3.9-1+deb11u1 | 6.0.5+ds1+~cs11.3.9-1+deb11u1 |
| isaacs | node-tar | >= 0 < 6.1.7+~cs11.3.10-1 | 6.1.7+~cs11.3.10-1 |
| isaacs | node-tar | >= 0 < 6.1.7+~cs11.3.10-1 | 6.1.7+~cs11.3.10-1 |
| isaacs | node-tar | >= 0 < 6.1.7+~cs11.3.10-1 | 6.1.7+~cs11.3.10-1 |
| oracle | graalvm | — | — |
| oracle | graalvm | — | — |
| siemens | sinec_infrastructure_network_services | < 1.0.1.1 | 1.0.1.1 |
| tar_project | tar | < 3.2.2 | 3.2.2 |
| tar_project | tar | >= 4.0.0 < 4.4.14 | 4.4.14 |
| tar_project | tar | >= 5.0.0 < 5.0.6 | 5.0.6 |
| tar_project | tar | >= 6.0.0 < 6.1.1 | 6.1.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Tar archive entries with repeated absolute path roots (e.g. '////home/user/.bashrc' or '///home/user/.bashrc') are the exploit payload pattern — inspect entry.path values in tar files for multiple consecutive leading slashes before a path component ↗
- →Monitor for unexpected file creation or overwrite outside the intended extraction directory when node-tar (npm package 'tar') is used to extract archives, particularly in versions before 3.3.2, 4.4.14, 5.0.6, and 6.1.1 ↗
- →A workaround/detection hook: implement a custom 'onentry' method checking entry.path for absolute paths (paths still starting with '/') after node-tar processing, or a 'filter' method rejecting entries with absolute paths — triggering either indicates a malicious archive ↗
- ·The 'preservePaths' flag being set to 'true' disables absolute path stripping entirely — any deployment using preservePaths:true is fully exposed to path traversal regardless of this CVE's specific bypass ↗
- ·Red Hat Quay 3.3 uses an affected version of nodejs-tar but is in extended life phase — no fix will be delivered for that version; treat all Quay 3.3 deployments as permanently vulnerable ↗
- ·RHEL 8 and Red Hat Software Collections embed node-tar inside the npm command itself — a specially crafted node module delivered via npm install can exploit this to write files outside its package directory ↗
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
nvdv2.05.8MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:P
ghsa8.1HIGH
osv8.1HIGH
vendor_debian8.2HIGH
vendor_redhat8.2HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization
ghsa·2021-08-03·CVSS 8.1
CVE-2021-32804 [HIGH] CWE-22 Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization
Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization
### Impact
Arbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution
`node-tar` aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example `/home/user/.bashrc` would turn into `home/user/.bashrc`.
This logic was insufficient when file paths contained repeated path roots such as `////home/user/.bashrc`. `node-tar` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. `///home/user/.bashrc`) would still
OSV
Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization
osv·2021-08-03·CVSS 8.1
CVE-2021-32804 [HIGH] Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization
Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization
### Impact
Arbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution
`node-tar` aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example `/home/user/.bashrc` would turn into `home/user/.bashrc`.
This logic was insufficient when file paths contained repeated path roots such as `////home/user/.bashrc`. `node-tar` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. `///home/user/.bashrc`) would still
OSV
CVE-2021-32804: The npm package "tar" (aka node-tar) before versions 6
osv·2021-08-03·CVSS 8.1
CVE-2021-32804 [HIGH] CVE-2021-32804: The npm package "tar" (aka node-tar) before versions 6
The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example `/home/user/.bashrc` would turn into `home/user/.bashrc`. This logic was insufficient when file paths contained repeated path roots such as `////home/user/.bashrc`. `node-tar` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. `///home/user/.bashrc`)
CISA ICS
Siemens SINEC INS
cisa_ics·2022-03-10·CVSS 5.9
[MEDIUM] Siemens SINEC INS
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Siemens SINEC INS
Last RevisedMarch 10, 2022
Alert CodeICSA-22-069-09
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Siemens
- Equipment: SINEC INS
- Vulnerability: Using Components with Known Vulnerabilities
## 2. RISK EVALUATION
Successful exploitation of this vulnerability in third-party components could allow an attacker to interfere with the affected product in various ways.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
Siemens reports this vulnerability affects the following SINEC INS (Infrastructure Netw
Red Hat
nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite
vendor_redhat·2021-08-03·CVSS 8.2
CVE-2021-32804 [HIGH] CWE-22 nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite
nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite
The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example `/home/user/.bashrc` would turn into `home/user/.bashrc`. This logic was insufficient when file paths contained repeated path roots such as `////home/user/.bashrc`. `node-tar` would only strip a single path root from such paths. When giv
Debian
CVE-2021-32804: node-tar - The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3...
vendor_debian·2021·CVSS 8.2
CVE-2021-32804 [HIGH] CVE-2021-32804: node-tar - The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3...
The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example `/home/user/.bashrc` would turn into `home/user/.bashrc`. This logic was insufficient when file paths contained repeated path roots such as `////home/user/.bashrc`. `node-tar` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. `///home/user/.bashrc`)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdfhttps://github.com/npm/node-tar/commit/1f036ca23f64a547bdd6c79c1a44bc62e8115da4https://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9https://www.npmjs.com/advisories/1770https://www.npmjs.com/package/tarhttps://www.oracle.com/security-alerts/cpuoct2021.htmlhttps://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdfhttps://github.com/npm/node-tar/commit/1f036ca23f64a547bdd6c79c1a44bc62e8115da4https://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9https://www.npmjs.com/advisories/1770https://www.npmjs.com/package/tarhttps://www.oracle.com/security-alerts/cpuoct2021.html
2021-08-03
Published