#VU58204 Path traversal in tar


Published: 2021-11-17

Vulnerability identifier: #VU58204

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-37713

CWE-ID: CWE-22

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
tar
Web applications / JS libraries

Vendor: npm Inc.

Description

The vulnerability allows a remote attacker to overwrite arbitrary files on the system.

The vulnerability exists due insufficient logic on Windows systems when extracting tar files that contained a path that was not an absolute path, but specified a drive letter different from the extraction target, such as C:some\path. If the drive letter does not match the extraction target, for example D:\extraction\dir, then the result of path.resolve(extractionDirectory, entryPath) would resolve against the current working directory on the C: drive, rather than the extraction target directory.

Mitigation
Install update from vendor's website.

Vulnerable software versions

tar: 4.0.0 - 6.1.8

External links
http://github.com/npm/node-tar/security/advisories/GHSA-5955-9wpr-37jh

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Watson Machine Learning Accelerator on Cloud Pak for Data
Multiple vulnerabilities in IBM QRadar Suite software
Multiple vulnerabilities in IBM QRadar User Behavior Analytics
Multiple vulnerabilities in IBM Edge Application Manager
Multiple vulnerabilities in IBM QRadar Pulse for QRadar SIEM
Multiple vulnerabilities in Netcool Operations Insight
Multiple vulnerabilities in IBM Security Verify Governance
Multiple vulnerabilities in IBM QRadar Data Synchronization App
Multiple vulnerabilities in Siemens SINEC INS
SUSE update for nodejs12