PT-2019-2860 · Node.Js · Node-Tar
Max
·
Published
2019-04-03
·
Updated
2026-02-04
·
CVE-2018-20834
CVSS v2.0
10
High
| Vector | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
node-tar versions prior to 4.4.2
node-tar version 2.2.2 is not affected, but versions prior to 2.2.2 are affected
Description
The issue is related to incorrect link resolution before file access in the node-tar module of the Node.js library. This can allow a remote attacker to replace existing file content when extracting a tarball containing a hardlink to a file that already exists on the system, followed by a plain file with the same name as the hardlink.
Recommendations
For node-tar versions prior to 4.4.2, upgrade to version 4.4.2 or later.
For node-tar versions prior to 2.2.2, upgrade to version 2.2.2 or later.
Exploit
Fix
Link Following
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Node-Tar