CVE-2021-37713

CWE-22 — Path Traversal7 documents6 sources

Severity

8.6HIGH

EPSS

0.3%

top 45.35%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

NPM Node-tar Npmjs TAR Siemens Sinec Infrastructure Network Services +1 more

Timeline

PublishedAug 31

Description

The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be outside of the extraction target directory is not extracted. This is, in part, accomplished by sanitizing absolute paths of entries within the archive, skipping archive entries that contain `..` path portions, and resolving the sanitized paths against the extraction targ…

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:NExploitability: 1.8 | Impact: 5.8

Affected Packages6 packages

▶CVEListV5npm/node-tar< 4.4.18+2

▶Alpinenodejs< 12.22.6-r0+12

▶NVDsiemens/sinec_infrastructure_network_services< 1.0.1.1

▶npmtar5.0.0 — 5.0.10+2

▶NVDnpmjs/tar5.0.0 — 5.0.10+2

Patches

Patch: cert-portal.siemens.com ↗Patch: github.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization↗2021-08-31

▶

CVEList

Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization↗2021-08-31

▶

OSV

CVE-2021-37713: The npm package "tar" (aka node-tar) before versions 4↗2021-08-31

▶

OSV

Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization↗2021-08-31

▶

📋Vendor Advisories

Red Hat

nodejs-tar: Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization↗2021-08-31

▶

Debian

CVE-2021-37713: node-tar - The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 h...↗2021

▶