CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:P/A:P
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
EPSS
Percentile
80.2%
The npm package “tar” (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14,
and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to
insufficient absolute path sanitization. node-tar aims to prevent
extraction of absolute file paths by turning absolute paths into relative
paths when the preservePaths
flag is not set to true
. This is achieved
by stripping the absolute path root from any absolute file paths contained
in a tar file. For example /home/user/.bashrc
would turn into
home/user/.bashrc
. This logic was insufficient when file paths contained
repeated path roots such as ////home/user/.bashrc
. node-tar
would only
strip a single path root from such paths. When given an absolute file path
with repeating path roots, the resulting path (e.g. ///home/user/.bashrc
)
would still resolve to an absolute path, thus allowing arbitrary file
creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14,
5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading
by creating a custom onentry
method which sanitizes the entry.path
or a
filter
method which removes entries with absolute paths. See referenced
GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a
similar bug in later versions of tar.
github.com/npm/node-tar/commit/1f036ca23f64a547bdd6c79c1a44bc62e8115da4
github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9
launchpad.net/bugs/cve/CVE-2021-32804
nvd.nist.gov/vuln/detail/CVE-2021-32804
security-tracker.debian.org/tracker/CVE-2021-32804
www.cve.org/CVERecord?id=CVE-2021-32804
www.npmjs.com/advisories/1770
www.npmjs.com/package/tar
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:P/A:P
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
EPSS
Percentile
80.2%