PT-2021-5776 · Npm+9 · Node-Tar+9
Published
2021-07-27
·
Updated
2022-11-14
·
CVE-2021-32803
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
node-tar versions prior to 3.2.3
node-tar versions prior to 4.4.15
node-tar versions prior to 5.0.7
node-tar versions prior to 6.1.2
Description
The issue is related to insufficient symlink protection in the node-tar module for handling tar archives. This allows an attacker to bypass symlink checks on directories, enabling arbitrary file creation and overwrite. The vulnerability can be exploited by creating a directory and then replacing it with a symlink, thus allowing an untrusted tar file to extract arbitrary files into an arbitrary location.
Recommendations
For versions prior to 3.2.3, update to version 3.2.3 or later.
For versions prior to 4.4.15, update to version 4.4.15 or later.
For versions prior to 5.0.7, update to version 5.0.7 or later.
For versions prior to 6.1.2, update to version 6.1.2 or later.
As a temporary workaround, consider creating a custom
filter method to prevent the extraction of symbolic links, such as:js
const tar = require('tar')
tar.x({
file: 'archive.tgz',
filter: (file, entry) => {
if (entry.type === 'SymbolicLink') {
return false
} else {
return true
}
}
})Fix
Path traversal
Relative Path Traversal
Link Following
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Almalinux
Astra Linux
Centos
Linuxmint
Red Hat
Rocky Linux
Suse
Ubuntu
Node-Tar