CVE-2023-38346

Name of the Vulnerable Software and Affected Versions Wind River VxWorks versions 6.9 through 7

Description An issue was discovered in the tarExtract function, which implements TAR file extraction and processes files within an archive that have relative or absolute file paths. This could lead to unexpected and undocumented behavior, resulting in a directory traversal and associated unexpected behavior. A developer using the tarExtract function may expect that the function will strip leading slashes from absolute paths or stop processing when encountering relative paths that are outside of the extraction path, unless otherwise forced. The vulnerability may allow a remote attacker to execute arbitrary commands by injecting a malicious tar file.

Recommendations For Wind River VxWorks versions 6.9 through 7, consider disabling the tarExtract function until a patch is available to prevent potential directory traversal attacks. Restrict access to the tarExtract function to minimize the risk of exploitation. Avoid using the tarExtract function with untrusted tar files until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.