CVE-2021-32804
Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example `/home/user/.bashrc` would turn into `home/user/.bashrc`. This logic was insufficient when file paths contained repeated path roots such as `////home/user/.bashrc`. `node-tar` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. `///home/user/.bashrc`) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom `onentry` method which sanitizes the `entry.path` or a `filter` method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar.
El paquete npm "tar" (también se conoce como node-tar) versiones anteriores a 6.1.1, 5.0.6, 4.4.14 y 3.3.2, presenta una vulnerabilidad de Creación y Sobrescritura de archivos arbitraria debido a un saneo insuficiente de rutas absolutas. node-tar pretende impedir la extracción de rutas absolutas de archivos al convertir las rutas absolutas en relativas cuando el flag "preservePaths" no está establecido en "true". Esto se consigue eliminando el root de la ruta absoluta de cualquier ruta de archivo absoluta contenida en un archivo tar. Por ejemplo, "home/user/.bashrc" se convertiría en "home/user/.bashrc". Esta lógica era insuficiente cuando las rutas de los archivos contenían roots de ruta repetidas, como "////home/user/.bashrc". "node-tar" sólo eliminaba un único root de esas rutas. Cuando se daba una ruta de archivo absoluta con raíces de ruta repetidas, la ruta resultante (por ejemplo, "///home/user/.bashrc") seguía resolviéndose como una ruta absoluta, permitiendo así la creación y sobrescritura de archivos arbitraria. Este problema se ha solucionado en las versiones 3.2.2, 4.4.14, 5.0.6 y 6.1.1. Los usuarios pueden solucionar esta vulnerabilidad sin necesidad de actualizar al crear un método personalizado "onentry" que sanee "entry.path" o un método "filter" que elimine las entradas con rutas absolutas. Consulte el aviso de GitHub mencionado para obtener más detalles. Tenga en cuenta CVE-2021-32803 que corrige un error similar en versiones posteriores de tar
The npm package "tar" (aka node-tar) has an arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-05-12 CVE Reserved
- 2021-08-03 CVE Published
- 2021-08-31 First Exploit
- 2024-04-18 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CAPEC
References (9)
| URL | Tag | Source |
|---|---|---|
| https://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9 | Mitigation | |
| https://www.npmjs.com/advisories/1770 | Mitigation | |
| https://www.npmjs.com/package/tar | Product |
| URL | Date | SRC |
|---|---|---|
| https://github.com/yamory/CVE-2021-32804 | 2021-08-31 |
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2021-32804 | 2021-12-13 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1990409 | 2021-12-13 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Tar Project Search vendor "Tar Project" | Tar Search vendor "Tar Project" for product "Tar" | < 3.2.2 Search vendor "Tar Project" for product "Tar" and version " < 3.2.2" | node.js |
Affected
| ||||||
| Tar Project Search vendor "Tar Project" | Tar Search vendor "Tar Project" for product "Tar" | >= 4.0.0 < 4.4.14 Search vendor "Tar Project" for product "Tar" and version " >= 4.0.0 < 4.4.14" | node.js |
Affected
| ||||||
| Tar Project Search vendor "Tar Project" | Tar Search vendor "Tar Project" for product "Tar" | >= 5.0.0 < 5.0.6 Search vendor "Tar Project" for product "Tar" and version " >= 5.0.0 < 5.0.6" | node.js |
Affected
| ||||||
| Tar Project Search vendor "Tar Project" | Tar Search vendor "Tar Project" for product "Tar" | >= 6.0.0 < 6.1.1 Search vendor "Tar Project" for product "Tar" and version " >= 6.0.0 < 6.1.1" | node.js |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Graalvm Search vendor "Oracle" for product "Graalvm" | 20.3.3 Search vendor "Oracle" for product "Graalvm" and version "20.3.3" | enterprise |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Graalvm Search vendor "Oracle" for product "Graalvm" | 21.2.0 Search vendor "Oracle" for product "Graalvm" and version "21.2.0" | enterprise |
Affected
| ||||||
| Siemens Search vendor "Siemens" | Sinec Infrastructure Network Services Search vendor "Siemens" for product "Sinec Infrastructure Network Services" | < 1.0.1.1 Search vendor "Siemens" for product "Sinec Infrastructure Network Services" and version " < 1.0.1.1" | - |
Affected
| ||||||