CVSS: 9.4EPSS: 0%CPEs: 1EXPL: 0CVE-2020-36566 – Path traversal in github.com/whyrusleeping/tar-utils
https://notcve.org/view.php?id=CVE-2020-36566
27 Dec 2022 — Due to improper path sanitization, archives containing relative file paths can cause files to be written (or overwritten) outside of the target directory. • https://github.com/whyrusleeping/tar-utils/commit/20a61371de5b51380bbdb0c7935b30b0625ac227 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-25358
https://notcve.org/view.php?id=CVE-2022-25358
18 Feb 2022 — A ..%2F path traversal vulnerability exists in the path handler of awful-salmonella-tar before 0.0.4. Attackers can only list directories (not read files). This occurs because the safe-path? Scheme predicate is not used for directories. Se presenta una vulnerabilidad en el manejo de rutas de awful-salmonella-tar versiones anteriores a 0.0.4. • https://github.com/mario-goulart/awful-salmonella-tar/commit/f705c881769b7610745cd4b4d8ae8b41b3f4f845 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 2CVE-2021-38511
https://notcve.org/view.php?id=CVE-2021-38511
10 Aug 2021 — An issue was discovered in the tar crate before 0.4.36 for Rust. When symlinks are present in a TAR archive, extraction can create arbitrary directories via .. traversal. Se ha detectado un problema en la crate tar versiones anteriores a 0.4.36 para Rust. Cuando los enlaces simbólicos están presentes en un archivo TAR, la extracción puede crear directorios arbitrarios por medio de .. Salto • https://raw.githubusercontent.com/rustsec/advisory-db/main/crates/tar/RUSTSEC-2021-0080.md • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 8.2EPSS: 87%CPEs: 7EXPL: 1CVE-2021-32804 – Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization
https://notcve.org/view.php?id=CVE-2021-32804
03 Aug 2021 — The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example `/home/user/.bashrc` would turn into `home/user/.... • https://github.com/yamory/CVE-2021-32804 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.2EPSS: 0%CPEs: 7EXPL: 0CVE-2021-32803 – Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning
https://notcve.org/view.php?id=CVE-2021-32803
03 Aug 2021 — The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. `node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary `stat` calls to determine whether a given path is a directory, paths are cached when directo... • https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-20990
https://notcve.org/view.php?id=CVE-2018-20990
26 Aug 2019 — An issue was discovered in the tar crate before 0.4.16 for Rust. Arbitrary file overwrite can occur via a symlink or hardlink in a TAR archive. Se descubrió un problema en el paquete (crate) tar versiones anteriores a 0.4.16 para Rust. Una sobrescritura arbitraria de archivos puede producirse por medio de un enlace simbólico o un enlace físico en un archivo TAR. • https://rustsec.org/advisories/RUSTSEC-2018-0002.html • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 2CVE-2018-20835
https://notcve.org/view.php?id=CVE-2018-20835
30 Apr 2019 — A vulnerability was found in tar-fs before 1.16.2. An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content. Fue encontrada una vulnerabilidad en tar-FS anterior a la versión 1.16.2. Existe un problema de sobrescritura de archivo arbitrario cuando se extrae un tarball que contiene un hardlink en un a... • https://github.com/ossf-cve-benchmark/CVE-2018-20835 • CWE-20: Improper Input Validation •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 2CVE-2018-20834 – nodejs-tar: Arbitrary file overwrites when extracting tarballs containing a hard-link
https://notcve.org/view.php?id=CVE-2018-20834
30 Apr 2019 — A vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content. A patch has been applied to node-tar v2.2.2). Se detecto una vulnerabilidad en node-tar en versiones anteriores a la 4.4.2 (excluyendo la versión 2.2.2). • https://github.com/ossf-cve-benchmark/CVE-2018-20834 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •