Msrc Cbl2 Tar 1.34-3 On Cbl Mariner 2.0 vulnerabilities

CVE-2026-31802 [HIGH] CWE-22 node-tar Symlink Path Traversal via Drive-Relative Linkpath node-tar Symlink Path Traversal via Drive-Relative Linkpath Mariner: Mariner GitHub_M: GitHub_M Customer Action Required: Yes

CVE-2026-29786 [HIGH] CWE-22 node-tar: Hardlink Path Traversal via Drive-Relative Linkpath node-tar: Hardlink Path Traversal via Drive-Relative Linkpath Mariner: Mariner GitHub_M: GitHub_M Customer Action Required: Yes

CVE-2026-26960 [HIGH] CWE-22 node-tar has Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in Extraction node-tar has Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in Extraction Mariner: Mariner GitHub_M: GitHub_M Customer Action Required: Yes

CVE-2025-45582 [MEDIUM] CWE-24 GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that

CVE-2023-39804 [MEDIUM] In GNU tar before 1.35 mishandled extension attributes in a PAX archive can lead to an application crash in xheader.c. In GNU tar before 1.35 mishandled extension attributes in a PAX archive can lead to an application crash in xheader.c. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the

CVE-2024-28863 [MEDIUM] CWE-400 node-tar vulnerable to denial of service while parsing a tar file due to lack of folders count validation node-tar vulnerable to denial of service while parsing a tar file due to lack of folders count validation FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep

CVE-2022-48303 [MEDIUM] CWE-125 GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux