Vulnerability identifier: #VU58206
Vulnerability risk: Medium
Exploitation vector: Network
Exploit availability: No
Vendor: npm Inc.
The vulnerability allows a remote attacker to overwrite arbitrary files on the system.
The vulnerability exists due to a logic issue when extracting tar files that contained both a directory
and a symlink with the same name as the directory. This order of
operations resulted in the directory being created and added to the
directory cache. When a directory is present in the directory cache,
subsequent calls to mkdir for that directory are skipped. However, this
is also where
node-tar checks for symlinks occur.
By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass
symlink checks on directories, essentially allowing an untrusted tar
file to symlink into an arbitrary location and subsequently extracting
arbitrary files into that location, thus allowing arbitrary file
creation and overwrite.
Install updates from vendor's website.
Vulnerable software versions
tar: 3.0.0 - 6.1.1
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.