PT-2019-2860 · Node.Js · Node-Tar

Max

Publicado

2019-04-03

Atualizado

2026-02-04

CVE-2018-20834

CVSS v2.0

Alta

Vetor

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions node-tar versions prior to 4.4.2 node-tar version 2.2.2 is not affected, but versions prior to 2.2.2 are affected

Description The issue is related to incorrect link resolution before file access in the node-tar module of the Node.js library. This can allow a remote attacker to replace existing file content when extracting a tarball containing a hardlink to a file that already exists on the system, followed by a plain file with the same name as the hardlink.

Recommendations For node-tar versions prior to 4.4.2, upgrade to version 4.4.2 or later. For node-tar versions prior to 2.2.2, upgrade to version 2.2.2 or later.

Exploit

Correção

Link Following

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-59

Identificadores relacionados

BDU:2019-02828

CVE-2018-20834

GHSA-J44M-QM6P-HP7M

RHSA-2019:1821

Produtos afetados

Node-Tar

PT-2019-2860 · Node.Js · Node-Tar

CVE-2018-20834

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 15