// For flags

CVE-2021-37712

Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links

Severity Score

8.6
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with names containing unicode values that normalized to the same value. Additionally, on Windows systems, long path portions would resolve to the same file system entities as their 8.3 "short path" counterparts. A specially crafted tar archive could thus include a directory with one form of the path, followed by a symbolic link with a different string that resolves to the same file system entity, followed by a file using the first form. By first creating a directory, and then replacing that directory with a symlink that had a different apparent name that resolved to the same entry in the filesystem, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-qq89-hq3f-393p.

El paquete npm "tar" (también se conoce como node-tar) versiones anteriores a 4.4.18, 5.0.10 y 6.1.9, presenta una vulnerabilidad de creación y escritura excesiva de archivos arbitrarios y de ejecución de código arbitrario. node-tar pretende garantizar que no se extraiga ningún archivo cuya ubicación sería modificada por un enlace simbólico. Esto es conseguido, en parte, asegurando que los directorios extraídos no sean enlaces simbólicos. Además, para prevenir llamadas innecesarias a las estadísticas para determinar si una ruta dada es un directorio, las rutas son almacenadas en caché cuando se crean los directorios. Esta lógica era insuficiente cuando se extraían archivos tar que contenían tanto un directorio como un enlace simbólico con nombres que contenían valores unicode que se normalizaban al mismo valor. Además, en los sistemas Windows, las partes de la ruta larga se resolvían a las mismas entidades del sistema de archivos que sus homólogos de la "ruta corta" de la versión 8.3. Un archivo tar especialmente diseñado podría incluir un directorio con una forma de la ruta, seguido de un enlace simbólico con una cadena diferente que resuelve a la misma entidad del sistema de archivos, seguido de un archivo usando la primera forma. Al crear primero un directorio, y luego reemplazando ese directorio con un enlace simbólico que tuviera un nombre aparente diferente que resolviera a la misma entrada en el sistema de archivos, era posible así omitir las comprobaciones de enlaces simbólicos de node-tar en los directorios, permitiendo esencialmente que un archivo tar no confiable tuviera un enlace simbólico en una ubicación arbitraria y que posteriormente extrajera archivos arbitrarios en esa ubicación, permitiendo así la creación y escritura excesiva arbitraria de archivos. Estos problemas se solucionaron en las versiones 4.4.18, 5.0.10 y 6.1.9. La rama v3 de node-tar ha quedado obsoleta y no ha recibido parches para estos problemas. Si todavía está usando una versión v3, le recomendamos que actualice a una versión más reciente de node-tar. Si esto no es posible, hay una solución disponible en la referencia GHSA-qq89-hq3f-393p

A flaw was found in the npm package "tar" (aka node-tar). Extracting tar files that contain two directories and a symlink with names containing Unicode values that normalize to the same value on Windows systems made it possible to bypass node-tar symlink checks on directories. This allows an untrusted tar file to extract and overwrite files into an arbitrary location. The highest threat from this vulnerability is to integrity and system availability.

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High
Attack Vector
Local
Attack Complexity
Medium
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-07-29 CVE Reserved
  • 2021-08-31 CVE Published
  • 2024-05-16 EPSS Updated
  • 2024-08-04 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
  • CWE-59: Improper Link Resolution Before File Access ('Link Following')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Npmjs
Search vendor "Npmjs"
Tar
Search vendor "Npmjs" for product "Tar"
<= 4.4.17
Search vendor "Npmjs" for product "Tar" and version " <= 4.4.17"
node.js
Affected
in Microsoft
Search vendor "Microsoft"
Windows
Search vendor "Microsoft" for product "Windows"
--
Safe
Npmjs
Search vendor "Npmjs"
Tar
Search vendor "Npmjs" for product "Tar"
>= 5.0.0 <= 5.0.9
Search vendor "Npmjs" for product "Tar" and version " >= 5.0.0 <= 5.0.9"
node.js
Affected
in Microsoft
Search vendor "Microsoft"
Windows
Search vendor "Microsoft" for product "Windows"
--
Safe
Npmjs
Search vendor "Npmjs"
Tar
Search vendor "Npmjs" for product "Tar"
>= 6.0.0 <= 6.1.8
Search vendor "Npmjs" for product "Tar" and version " >= 6.0.0 <= 6.1.8"
node.js
Affected
in Microsoft
Search vendor "Microsoft"
Windows
Search vendor "Microsoft" for product "Windows"
--
Safe
Debian
Search vendor "Debian"
Debian Linux
Search vendor "Debian" for product "Debian Linux"
10.0
Search vendor "Debian" for product "Debian Linux" and version "10.0"
-
Affected
Debian
Search vendor "Debian"
Debian Linux
Search vendor "Debian" for product "Debian Linux"
11.0
Search vendor "Debian" for product "Debian Linux" and version "11.0"
-
Affected
Oracle
Search vendor "Oracle"
Graalvm
Search vendor "Oracle" for product "Graalvm"
20.3.3
Search vendor "Oracle" for product "Graalvm" and version "20.3.3"
enterprise
Affected
Oracle
Search vendor "Oracle"
Graalvm
Search vendor "Oracle" for product "Graalvm"
21.2.0
Search vendor "Oracle" for product "Graalvm" and version "21.2.0"
enterprise
Affected
Siemens
Search vendor "Siemens"
Sinec Infrastructure Network Services
Search vendor "Siemens" for product "Sinec Infrastructure Network Services"
< 1.0.1.1
Search vendor "Siemens" for product "Sinec Infrastructure Network Services" and version " < 1.0.1.1"
-
Affected