CVE-2021-38511

Name of the Vulnerable Software and Affected Versions tar crate versions prior to 0.4.36

Description An issue was discovered in the tar crate for Rust. When symlinks are present in a TAR archive, extraction can create arbitrary directories via .. traversal. This occurs when unpacking a tarball that contains a symlink, allowing the tar crate to create directories outside of the directory it's supposed to unpack into. The function errors when trying to create a file, but the folders are already created at this point.

Recommendations For versions prior to 0.4.36, update to version 0.4.36 to resolve the issue. As a temporary workaround, consider avoiding the use of symlinks in TAR archives until the update is applied. Restrict access to the unpack function of the Archive class to minimize the risk of exploitation. Avoid using the Builder class to create TAR archives that contain symlinks until the issue is resolved.