SB2021111707 - Multiple vulnerabilities in NPM Tar

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Path traversal (CVE-ID: CVE-2021-37713)

The vulnerability allows a remote attacker to overwrite arbitrary files on the system.

The vulnerability exists due insufficient logic on Windows systems when extracting tar files that contained a path that was not an absolute path, but specified a drive letter different from the extraction target, such as C:some\path. If the drive letter does not match the extraction target, for example D:\extraction\dir, then the result of path.resolve(extractionDirectory, entryPath) would resolve against the current working directory on the C: drive, rather than the extraction target directory.

2) Path traversal (CVE-ID: CVE-2021-37712)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when extracting tar files that contained two directories and a symlink with names containing unicode values that normalized to the same value. A remote attacker can create a specially crafted archive that, when extracted, can overwrite arbitrary files on the system.

Remediation

Install update from vendor's website.

References

• https://github.com/npm/node-tar/security/advisories/GHSA-5955-9wpr-37jh
• https://github.com/npm/node-tar/security/advisories/GHSA-qq89-hq3f-393p