#VU58204 Path traversal in tar


Published: 2021-11-17

Vulnerability identifier: #VU58204

Vulnerability risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-37713

CWE-ID:

Exploitation vector: Network

Exploit availability:

Vulnerable software:
tar
Web applications / JS libraries

Vendor: npm Inc.

Description

The vulnerability allows a remote attacker to overwrite arbitrary files on the system.

The vulnerability exists due insufficient logic on Windows systems when extracting tar files that contained a path that was not an absolute path, but specified a drive letter different from the extraction target, such as C:some\path. If the drive letter does not match the extraction target, for example D:\extraction\dir, then the result of path.resolve(extractionDirectory, entryPath) would resolve against the current working directory on the C: drive, rather than the extraction target directory.

Mitigation
Install update from vendor's website.

Vulnerable software versions

tar: 4.0.0 - 6.1.8

Fixed software versions

CPE

External links
http://github.com/npm/node-tar/security/advisories/GHSA-5955-9wpr-37jh

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM QRadar Suite software
Multiple vulnerabilities in IBM QRadar User Behavior Analytics
Multiple vulnerabilities in IBM Edge Application Manager
Multiple vulnerabilities in IBM QRadar Pulse for QRadar SIEM
Multiple vulnerabilities in Netcool Operations Insight
Multiple vulnerabilities in IBM Security Verify Governance
Multiple vulnerabilities in IBM QRadar Data Synchronization App
Multiple vulnerabilities in Siemens SINEC INS
SUSE update for nodejs12
SUSE update for nodejs14