CVE-2021-37712

CWE-22Path TraversalCWE-597 documents6 sources
Severity
8.6HIGH
EPSS
0.1%
top 75.46%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
NPM Node-tarSiemens Sinec Infrastructure Network ServicesNpmjs TAR+2 more
Timeline
PublishedAug 31

Description

The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:NExploitability: 1.8 | Impact: 5.8

Affected Packages6 packages

CVEListV5npm/node-tar< 4.4.18+2
Debiannode-tar< 6.0.5+ds1+~cs11.3.9-1+deb11u2+3
npmtar3.0.04.4.18+2
NVDnpmjs/tar5.0.05.0.9+2

Also affects: Debian Linux 10.0, 11.0

Patches

Patch: cert-portal.siemens.comPatch: github.comPatch: www.oracle.com

🔴Vulnerability Details

4
OSV
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links2021-08-31
GHSA
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links2021-08-31
CVEList
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links2021-08-31
OSV
CVE-2021-37712: The npm package "tar" (aka node-tar) before versions 42021-08-31

📋Vendor Advisories

2
Red Hat
nodejs-tar: Insufficient symlink protection due to directory cache poisoning using symbolic links allowing arbitrary file creation and overwrite2021-08-31
Debian
CVE-2021-37712: node-tar - The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 h...2021
CVE-2021-37712 (HIGH CVSS 8.6) | The npm package "tar" (aka node-tar | cvebase.io