CVE-2021-37713
Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be outside of the extraction target directory is not extracted. This is, in part, accomplished by sanitizing absolute paths of entries within the archive, skipping archive entries that contain `..` path portions, and resolving the sanitized paths against the extraction target directory. This logic was insufficient on Windows systems when extracting tar files that contained a path that was not an absolute path, but specified a drive letter different from the extraction target, such as `C:some\path`. If the drive letter does not match the extraction target, for example `D:\extraction\dir`, then the result of `path.resolve(extractionDirectory, entryPath)` would resolve against the current working directory on the `C:` drive, rather than the extraction target directory. Additionally, a `..` portion of the path could occur immediately after the drive letter, such as `C:../foo`, and was not properly sanitized by the logic that checked for `..` within the normalized and split portions of the path. This only affects users of `node-tar` on Windows systems. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. There is no reasonable way to work around this issue without performing the same path normalization procedures that node-tar now does. Users are encouraged to upgrade to the latest patched versions of node-tar, rather than attempt to sanitize paths themselves.
El paquete npm "tar" (también se conoce como node-tar) versiones anteriores a 4.4.18, 5.0.10 y 6.1.9, presenta una vulnerabilidad de creación y escritura excesiva de archivos arbitrarios y de ejecución de código arbitrario. node-tar pretende garantizar que no se extraiga ningún archivo cuya ubicación esté fuera del directorio de destino de la extracción. Esto es conseguido, en parte, al sanear las rutas absolutas de las entradas dentro del archivo, omitiendo las entradas del archivo que contienen porciones de ruta ".." y resolviendo las rutas saneadas contra el directorio de destino de la extracción. Esta lógica era insuficiente en los sistemas Windows cuando se extraían archivos tar que contenían una ruta que no era una ruta absoluta, sino que especificaba una letra de unidad diferente del destino de extracción, como "C:some\path". Si la letra de la unidad no coincide con el destino de la extracción, por ejemplo, "D:\extraction\dir", entonces el resultado de "path.resolve(extractionDirectory, entryPath)" se resolvería contra el directorio de trabajo actual en la unidad "C:", en lugar del directorio de destino de la extracción. Además, una porción ".." de la ruta podía aparecer inmediatamente después de la letra de la unidad, como "C:../foo", y no era saneada apropiadamente por la lógica que buscaba ".." dentro de las porciones normalizadas y divididas de la ruta. Esto sólo afecta a los usuarios de "node-tar" en sistemas Windows. Estos problemas se han solucionado en las versiones 4.4.18, 5.0.10 y 6.1.9. La rama v3 de node-tar ha quedado obsoleta y no ha recibido parches para estos problemas. Si todavía está usando una versión v3 le recomendamos que actualice a una versión más reciente de node-tar. No hay una forma razonable de solucionar este problema sin llevar a cabo los mismos procedimientos de normalización de rutas que hace ahora node-tar. Se recomienda a los usuarios que actualicen a las últimas versiones parcheadas de node-tar, en lugar de intentar sanear las rutas por sí mismos
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-07-29 CVE Reserved
- 2021-08-31 CVE Published
- 2024-08-04 CVE Updated
- 2024-08-06 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CAPEC
References (4)
| URL | Tag | Source |
|---|---|---|
| https://www.npmjs.com/package/tar | Product |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf | 2022-04-25 | |
| https://github.com/npm/node-tar/security/advisories/GHSA-5955-9wpr-37jh | 2022-04-25 | |
| https://www.oracle.com/security-alerts/cpuoct2021.html | 2022-04-25 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Npmjs Search vendor "Npmjs" | Tar Search vendor "Npmjs" for product "Tar" | < 4.4.18 Search vendor "Npmjs" for product "Tar" and version " < 4.4.18" | node.js |
Affected
| in | Microsoft Search vendor "Microsoft" | Windows Search vendor "Microsoft" for product "Windows" | - | - |
Safe
|
| Npmjs Search vendor "Npmjs" | Tar Search vendor "Npmjs" for product "Tar" | >= 5.0.0 < 5.0.10 Search vendor "Npmjs" for product "Tar" and version " >= 5.0.0 < 5.0.10" | node.js |
Affected
| in | Microsoft Search vendor "Microsoft" | Windows Search vendor "Microsoft" for product "Windows" | - | - |
Safe
|
| Npmjs Search vendor "Npmjs" | Tar Search vendor "Npmjs" for product "Tar" | >= 6.0.0 < 6.1.9 Search vendor "Npmjs" for product "Tar" and version " >= 6.0.0 < 6.1.9" | node.js |
Affected
| in | Microsoft Search vendor "Microsoft" | Windows Search vendor "Microsoft" for product "Windows" | - | - |
Safe
|
| Oracle Search vendor "Oracle" | Graalvm Search vendor "Oracle" for product "Graalvm" | 20.3.3 Search vendor "Oracle" for product "Graalvm" and version "20.3.3" | enterprise |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Graalvm Search vendor "Oracle" for product "Graalvm" | 21.2.0 Search vendor "Oracle" for product "Graalvm" and version "21.2.0" | enterprise |
Affected
| ||||||
| Siemens Search vendor "Siemens" | Sinec Infrastructure Network Services Search vendor "Siemens" for product "Sinec Infrastructure Network Services" | < 1.0.1.1 Search vendor "Siemens" for product "Sinec Infrastructure Network Services" and version " < 1.0.1.1" | - |
Affected
| ||||||