Symlink Arbitrary File Overwrite

2015-11-0307:15:12

Tim Cuthbertson

www.npmjs.com

EPSS

0.002

Percentile

55.6%

JSON

Overview

Versions of tar prior to 2.0.0 are affected by an arbitrary file write vulnerability. The vulnerability occurs because tar does not verify that extracted symbolic links to not resolve to targets outside of the extraction root directory.

Recommendation

Update to version 2.0.0 or later

References

Release v2.7.5
GitHub Advisory

EPSS

0.002

Percentile

55.6%

JSON

Related for NODEJS:57