what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 7 of 7 RSS Feed

CVE-2021-37712

Status Candidate

Overview

The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with names containing unicode values that normalized to the same value. Additionally, on Windows systems, long path portions would resolve to the same file system entities as their 8.3 "short path" counterparts. A specially crafted tar archive could thus include a directory with one form of the path, followed by a symbolic link with a different string that resolves to the same file system entity, followed by a file using the first form. By first creating a directory, and then replacing that directory with a symlink that had a different apparent name that resolved to the same entry in the filesystem, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-qq89-hq3f-393p.

Related Files

Gentoo Linux Security Advisory 202405-29
Posted May 9, 2024
Authored by Gentoo | Site security.gentoo.org

Gentoo Linux Security Advisory 202405-29 - Multiple vulnerabilities have been discovered in Node.js. Versions greater than or equal to 16.20.2 are affected.

tags | advisory, vulnerability
systems | linux, gentoo
advisories | CVE-2020-7774, CVE-2021-22883, CVE-2021-22884, CVE-2021-22918, CVE-2021-22930, CVE-2021-22931, CVE-2021-22939, CVE-2021-22940, CVE-2021-22959, CVE-2021-22960, CVE-2021-3672, CVE-2021-37701, CVE-2021-37712, CVE-2021-39134
SHA-256 | 896f93d8be3fd63618f8c7828d363945d93c89399750559db27ad47c3598d38a
Red Hat Security Advisory 2022-4914-01
Posted Jun 7, 2022
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2022-4914-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include HTTP request smuggling and bypass vulnerabilities.

tags | advisory, web, javascript, vulnerability
systems | linux, redhat
advisories | CVE-2021-22959, CVE-2021-22960, CVE-2021-37701, CVE-2021-37712, CVE-2021-3918, CVE-2021-44531, CVE-2021-44532, CVE-2021-44533, CVE-2021-44906, CVE-2022-21824
SHA-256 | b43f0c89fd3414efa475d6ec07c2e68d3f66f12f846e7070d1966227905eca9d
Red Hat Security Advisory 2022-0350-04
Posted Feb 2, 2022
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2022-0350-04 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include HTTP request smuggling and denial of service vulnerabilities.

tags | advisory, web, denial of service, javascript, vulnerability
systems | linux, redhat
advisories | CVE-2020-28469, CVE-2020-7788, CVE-2021-22959, CVE-2021-22960, CVE-2021-33502, CVE-2021-37701, CVE-2021-37712, CVE-2021-3807, CVE-2021-3918
SHA-256 | 07cf30cab5cf210d32816cb8dbca0ff2d5ee3995e8c201686697cb9fca2bdbfd
Red Hat Security Advisory 2022-0246-04
Posted Jan 25, 2022
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2022-0246-04 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include HTTP request smuggling and denial of service vulnerabilities.

tags | advisory, web, denial of service, javascript, vulnerability
systems | linux, redhat
advisories | CVE-2020-28469, CVE-2020-7788, CVE-2021-22959, CVE-2021-22960, CVE-2021-33502, CVE-2021-37701, CVE-2021-37712, CVE-2021-3807, CVE-2021-3918
SHA-256 | ac685f0ee1416a81c17a3920f8990f34fd0bed2044d014166ed19445dfeee9de
Red Hat Security Advisory 2022-0041-02
Posted Jan 7, 2022
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2022-0041-02 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include HTTP request smuggling and denial of service vulnerabilities.

tags | advisory, web, denial of service, javascript, vulnerability
systems | linux, redhat
advisories | CVE-2021-22959, CVE-2021-22960, CVE-2021-37701, CVE-2021-37712, CVE-2021-3807, CVE-2021-3918
SHA-256 | a99fe197fc57400e20bfe23ee30166ab68528ec9bf0aa7cc6ad183163f65fef4
Red Hat Security Advisory 2021-5086-06
Posted Dec 14, 2021
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2021-5086-06 - Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Container Platform. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform. Issues addressed include a path sanitization vulnerability.

tags | advisory
systems | linux, redhat
advisories | CVE-2020-8565, CVE-2021-32803, CVE-2021-32804, CVE-2021-33195, CVE-2021-33197, CVE-2021-33198, CVE-2021-34558, CVE-2021-37701, CVE-2021-37712
SHA-256 | 774e5117e6048e40bc0540ccd8f805fad79e574958c9975e3e273b6f6ba3280c
Debian Security Advisory 5008-1
Posted Nov 28, 2021
Authored by Debian | Site debian.org

Debian Linux Security Advisory 5008-1 - It was discovered that the symlink extraction protections in node-tar, a Tar archives module for Node.js could by bypassed; allowing a malicious Tar archive to symlink into an arbitrary location.

tags | advisory, arbitrary
systems | linux, debian
advisories | CVE-2021-37701, CVE-2021-37712
SHA-256 | 915d1d41f05c7787a3911c04d0c5812980a9774de9b717719ea636a54be32acd
Page 1 of 1
Back1Next

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close