#VU71631 Link following in node-tar - CVE-2018-20834

Cybersecurity Help s.r.o.

Published: 2023-01-30

Vulnerability identifier: #VU71631

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2018-20834

CWE-ID: CWE-59

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
node-tar
Web applications / JS libraries

Vendor: isaacs

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to insecure following of hardlinks inside a tarball. A remote attacker can pass a specially crafted archive to the application and overwrite arbitrary files on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

node-tar: 0.1.0 - 4.4.1

External links
https://access.redhat.com/errata/RHSA-2019:1821
https://github.com/npm/node-tar/commit/7ecef07da6a9e72cc0c4d0c9c6a8e85b6b52395d
https://github.com/npm/node-tar/commit/b0c58433c22f5e7fe8b1c76373f27e3f81dcd4c8
https://github.com/npm/node-tar/commits/v2.2.2
https://github.com/npm/node-tar/compare/58a8d43...a5f7779
https://hackerone.com/reports/344595

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Planning Analytics Workspace

Red Hat Software Collections update for rh-nodejs8-nodejs

Insecure link following in node-tar