#VU58204 Path traversal in tar


Published: 2021-11-17

Vulnerability identifier: #VU58204

Vulnerability risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-37713

CWE-ID:

Exploitation vector: Network

Exploit availability:

Vulnerable software:
tar
Web applications / JS libraries

Vendor: npm Inc.

Description

The vulnerability allows a remote attacker to overwrite arbitrary files on the system.

The vulnerability exists due insufficient logic on Windows systems when extracting tar files that contained a path that was not an absolute path, but specified a drive letter different from the extraction target, such as C:some\path. If the drive letter does not match the extraction target, for example D:\extraction\dir, then the result of path.resolve(extractionDirectory, entryPath) would resolve against the current working directory on the C: drive, rather than the extraction target directory.

Mitigation
Install update from vendor's website.

Vulnerable software versions

tar: 4.0.0 - 6.1.8


Fixed software versions

CPE

External links
http://github.com/npm/node-tar/security/advisories/GHSA-5955-9wpr-37jh


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability