CVSS: 8.2EPSS: 0%CPEs: 7EXPL: 1CVE-2021-32804 – Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization
https://notcve.org/view.php?id=CVE-2021-32804
The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example `/home/user/.bashrc` would turn into `home/user/.bashrc`. This logic was insufficient when file paths contained repeated path roots such as `////home/user/.bashrc`. `node-tar` would only strip a single path root from such paths. • https://github.com/yamory/CVE-2021-32804 https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf https://github.com/npm/node-tar/commit/1f036ca23f64a547bdd6c79c1a44bc62e8115da4 https://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9 https://www.npmjs.com/advisories/1770 https://www.npmjs.com/package/tar https://www.oracle.com/security-alerts/cpuoct2021.html https://access.redhat.com/security/cve/CVE-2021-32804 https://bugzilla.redhat.com/show_bug.cgi?id=1990409 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.2EPSS: 0%CPEs: 7EXPL: 0CVE-2021-32803 – Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning
https://notcve.org/view.php?id=CVE-2021-32803
The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. `node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary `stat` calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. • https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf https://github.com/npm/node-tar/commit/9dbdeb6df8e9dbd96fa9e84341b9d74734be6c20 https://github.com/npm/node-tar/security/advisories/GHSA-r628-mhmh-qjhw https://www.npmjs.com/advisories/1771 https://www.npmjs.com/package/tar https://www.oracle.com/security-alerts/cpuoct2021.html https://access.redhat.com/security/cve/CVE-2021-32803 https://bugzilla.redhat.com/show_bug.cgi?id=1990415 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-20193
https://notcve.org/view.php?id=CVE-2021-20193
A flaw was found in the src/list.c of tar 1.33 and earlier. This flaw allows an attacker who can submit a crafted input file to tar to cause uncontrolled consumption of memory. The highest threat from this vulnerability is to system availability. Se detectó un fallo en el archivo src/list.c de tar versiones 1.33 y anteriores. Este fallo permite a un atacante que puede enviar un archivo de entrada diseñado a tar causar un consumo no controlado de memoria. • https://bugzilla.redhat.com/show_bug.cgi?id=1917565 https://git.savannah.gnu.org/cgit/tar.git/commit/?id=d9d4435692150fa8ff68e1b1a473d187cc3fd777 https://savannah.gnu.org/bugs/?59897 https://security.gentoo.org/glsa/202105-29 • CWE-125: Out-of-bounds Read CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-20990
https://notcve.org/view.php?id=CVE-2018-20990
An issue was discovered in the tar crate before 0.4.16 for Rust. Arbitrary file overwrite can occur via a symlink or hardlink in a TAR archive. Se descubrió un problema en el paquete (crate) tar versiones anteriores a 0.4.16 para Rust. Una sobrescritura arbitraria de archivos puede producirse por medio de un enlace simbólico o un enlace físico en un archivo TAR. • https://rustsec.org/advisories/RUSTSEC-2018-0002.html • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 7.5EPSS: 1%CPEs: 2EXPL: 0CVE-2019-9923
https://notcve.org/view.php?id=CVE-2019-9923
pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers. pax_decode_header en sparse.c en GNU Tar, en versiones anteriores a la 1.32, tenía una desreferencia de puntero NULL al analizar ciertos archivos que tenían cabeceras extendidas mal formadas. • http://git.savannah.gnu.org/cgit/tar.git/commit/?id=cb07844454d8cc9fb21f53ace75975f91185a120 http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00077.html http://savannah.gnu.org/bugs/?55369 https://bugs.launchpad.net/ubuntu/+source/tar/+bug/1810241 https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E • CWE-476: NULL Pointer Dereference •