#VU58205 Absolute Path Traversal in tar


Vulnerability identifier: #VU58205

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-32804

CWE-ID: CWE-36

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
tar
Web applications / JS libraries

Vendor: npm Inc.

Description

The vulnerability allows a remote attacker to overwrite arbitrary files on the system.

The vulnerability exists due to a logic issue when file paths contained repeated path roots such as ////home/user/.bashrc. node-tar would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. ///home/user/.bashrc) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite.

Mitigation
Install update from vendor's website.

Vulnerable software versions

tar: 3.0.0 - 6.1.0

External links
http://github.com/npm/node-tar/commit/1f036ca23f64a547bdd6c79c1a44bc62e8115da4
http://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Watson Machine Learning Accelerator on Cloud Pak for Data
Multiple vulnerabilities in IBM QRadar Suite software
Multiple vulnerabilities in IBM QRadar User Behavior Analytics
Multiple vulnerabilities in IBM Edge Application Manager
Multiple vulnerabilities in IBM QRadar Pulse for QRadar SIEM
Multiple vulnerabilities in Netcool Operations Insight
Multiple vulnerabilities in IBM Planning Analytics Workspace
Path Traversal in IBM App Connect Enterprise Certified Container
Multiple vulnerabilities in IBM QRadar Data Synchronization App
Multiple vulnerabilities in Siemens SINEC INS