Versio.io

CVE-2021-32804

Common vulnerabilities & exposures (CVE)

CVE databaseCVE database blogpostRelease & EoL database
 
Published at: - 03-08-2021 09:15
Last modified: - 25-04-2022 09:12
Total changes: - 7

Description

The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example `/home/user/.bashrc` would turn into `home/user/.bashrc`. This logic was insufficient when file paths contained repeated path roots such as `////home/user/.bashrc`. `node-tar` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. `///home/user/.bashrc`) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom `onentry` method which sanitizes the `entry.path` or a `filter` method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
Low
Attack complexity
Network
Attack vector
High
Availability
None
Confidentiality
High
Integrity
None
Privileges required
Unchanged
Scope
Required
User interaction
8.1
Base score
2.8
5.2
Exploitability score
Impact score
 

Verification logic

OR
OR
vendor=tar_project AND product=tar AND target_software=node.js AND versionEndExcluding=3.2.2
vendor=tar_project AND product=tar AND target_software=node.js AND versionStartIncluding=4.0.0 AND versionEndExcluding=4.4.14
vendor=tar_project AND product=tar AND target_software=node.js AND versionStartIncluding=5.0.0 AND versionEndExcluding=5.0.6
vendor=tar_project AND product=tar AND target_software=node.js AND versionStartIncluding=6.0.0 AND versionEndExcluding=6.1.1
OR
vendor=oracle AND product=graalvm AND version=20.3.3 AND software_edition=enterprise
vendor=oracle AND product=graalvm AND version=21.2.0 AND software_edition=enterprise
OR
vendor=siemens AND product=sinec_infrastructure_network_services AND versionEndExcluding=1.0.1.1
 

Reference

 


Keywords

NVD

 

CVE-2021-32804

 

CVE

 

Common vulnerabilities & exposures

 

CVSS

 

Common vulnerability scoring system

 

Security

 

Vulnerabilities

 

Exposures

 

We use cookies to ensure that we give you the best experience on our website. Read privacy policies for more information.