CVE-2021-32803
Vulnerability from cvelistv5
Published
2021-08-03 19:05
Modified
2024-08-03 23:33
Summary
The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. `node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary `stat` calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the `node-tar` directory cache. When a directory is present in the directory cache, subsequent calls to mkdir for that directory are skipped. However, this is also where `node-tar` checks for symlinks occur. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass `node-tar` symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.3, 4.4.15, 5.0.7 and 6.1.2.
Impacted products
Vendor Product Version
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T23:33:56.082Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/npm/node-tar/security/advisories/GHSA-r628-mhmh-qjhw"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/npm/node-tar/commit/9dbdeb6df8e9dbd96fa9e84341b9d74734be6c20"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.npmjs.com/advisories/1771"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.npmjs.com/package/tar"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "node-tar",
          "vendor": "npm",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 3.2.3"
            },
            {
              "status": "affected",
              "version": "\u003e= 4.0.0, \u003c 4.4.15"
            },
            {
              "status": "affected",
              "version": "\u003e= 5.0.0, \u003c 5.0.7"
            },
            {
              "status": "affected",
              "version": "\u003e= 6.0.0, \u003c 6.1.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The npm package \"tar\" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. `node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary `stat` calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the `node-tar` directory cache. When a directory is present in the directory cache, subsequent calls to mkdir for that directory are skipped. However, this is also where `node-tar` checks for symlinks occur. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass `node-tar` symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.3, 4.4.15, 5.0.7 and 6.1.2."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-03-08T14:06:49",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/npm/node-tar/security/advisories/GHSA-r628-mhmh-qjhw"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/npm/node-tar/commit/9dbdeb6df8e9dbd96fa9e84341b9d74734be6c20"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.npmjs.com/advisories/1771"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.npmjs.com/package/tar"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
        }
      ],
      "source": {
        "advisory": "GHSA-r628-mhmh-qjhw",
        "discovery": "UNKNOWN"
      },
      "title": "Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-32803",
          "STATE": "PUBLIC",
          "TITLE": "Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "node-tar",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 3.2.3"
                          },
                          {
                            "version_value": "\u003e= 4.0.0, \u003c 4.4.15"
                          },
                          {
                            "version_value": "\u003e= 5.0.0, \u003c 5.0.7"
                          },
                          {
                            "version_value": "\u003e= 6.0.0, \u003c 6.1.2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "npm"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The npm package \"tar\" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. `node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary `stat` calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the `node-tar` directory cache. When a directory is present in the directory cache, subsequent calls to mkdir for that directory are skipped. However, this is also where `node-tar` checks for symlinks occur. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass `node-tar` symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.3, 4.4.15, 5.0.7 and 6.1.2."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/npm/node-tar/security/advisories/GHSA-r628-mhmh-qjhw",
              "refsource": "CONFIRM",
              "url": "https://github.com/npm/node-tar/security/advisories/GHSA-r628-mhmh-qjhw"
            },
            {
              "name": "https://github.com/npm/node-tar/commit/9dbdeb6df8e9dbd96fa9e84341b9d74734be6c20",
              "refsource": "MISC",
              "url": "https://github.com/npm/node-tar/commit/9dbdeb6df8e9dbd96fa9e84341b9d74734be6c20"
            },
            {
              "name": "https://www.npmjs.com/advisories/1771",
              "refsource": "MISC",
              "url": "https://www.npmjs.com/advisories/1771"
            },
            {
              "name": "https://www.npmjs.com/package/tar",
              "refsource": "MISC",
              "url": "https://www.npmjs.com/package/tar"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
            },
            {
              "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf",
              "refsource": "CONFIRM",
              "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-r628-mhmh-qjhw",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2021-32803",
    "datePublished": "2021-08-03T19:05:12",
    "dateReserved": "2021-05-12T00:00:00",
    "dateUpdated": "2024-08-03T23:33:56.082Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-32803\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2021-08-03T19:15:08.297\",\"lastModified\":\"2024-11-21T06:07:46.637\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The npm package \\\"tar\\\" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. `node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary `stat` calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the `node-tar` directory cache. When a directory is present in the directory cache, subsequent calls to mkdir for that directory are skipped. However, this is also where `node-tar` checks for symlinks occur. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass `node-tar` symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.3, 4.4.15, 5.0.7 and 6.1.2.\"},{\"lang\":\"es\",\"value\":\"El paquete npm \\\"tar\\\" (tambi\u00e9n se conoce como node-tar) versiones anteriores a 6.1.2, 5.0.7, 4.4.15 y 3.2.3 presenta una vulnerabilidad de Creaci\u00f3n y Sobrescritura de archivos arbitraria por medio de una protecci\u00f3n insuficiente de enlaces simb\u00f3licos. El objetivo de \\\"node-tar\\\" es garantizar que no se extraiga ning\u00fan archivo cuya ubicaci\u00f3n pueda ser modificada por un enlace simb\u00f3lico. Esto se consigue, en parte, al asegurar que los directorios extra\u00eddos no sean enlaces simb\u00f3licos. Adicionalmente, para evitar llamadas innecesarias a \\\"stat\\\" para determinar si una ruta dada es un directorio, las rutas se almacenan en cach\u00e9 cuando los directorios son creados. Esta l\u00f3gica era insuficiente cuando se extra\u00edan archivos tar que conten\u00edan tanto un directorio como un enlace simb\u00f3lico con el mismo nombre que el directorio. Este orden de operaciones resultaba que el directorio fuera creado y se a\u00f1adiera a la cach\u00e9 de directorios del \\\"nodo-tar\\\". Cuando un directorio est\u00e1 presente en la cach\u00e9 de directorios, las siguientes llamadas a mkdir para ese directorio se saltan. Sin embargo, aqu\u00ed es tambi\u00e9n donde \\\"node-tar\\\" comprueba que los enlaces simb\u00f3licos ocurran. Al crear primero un directorio, y luego reemplazando ese directorio con un enlace simb\u00f3lico, era posible as\u00ed omitir las comprobaciones de enlaces simb\u00f3licos de \\\"node-tar\\\" en los directorios, permitiendo esencialmente que un archivo tar no confiable se enlazara simb\u00f3licamente en una ubicaci\u00f3n arbitraria y que subsecuentemente se extrajeran archivos arbitrarios en esa ubicaci\u00f3n, permitiendo as\u00ed la creaci\u00f3n y sobrescritura de archivos arbitraria. Este problema se solucion\u00f3 en las versiones 3.2.3, 4.4.15, 5.0.7 y 6.1.2\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N\",\"baseScore\":8.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.8,\"impactScore\":5.8},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.2}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:N/I:P/A:P\",\"baseScore\":5.8,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-59\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:tar_project:tar:*:*:*:*:*:node.js:*:*\",\"versionEndExcluding\":\"3.2.3\",\"matchCriteriaId\":\"46F4025D-5388-42D2-A9E8-012087C68BC6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:tar_project:tar:*:*:*:*:*:node.js:*:*\",\"versionStartIncluding\":\"4.0.0\",\"versionEndExcluding\":\"4.4.15\",\"matchCriteriaId\":\"75A17A88-D363-44AE-AD91-C174ACC20558\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:tar_project:tar:*:*:*:*:*:node.js:*:*\",\"versionStartIncluding\":\"5.0.0\",\"versionEndExcluding\":\"5.0.7\",\"matchCriteriaId\":\"5335FC42-CC5E-4DD6-9803-FF4141788AD1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:tar_project:tar:*:*:*:*:*:node.js:*:*\",\"versionStartIncluding\":\"6.0.0\",\"versionEndExcluding\":\"6.1.2\",\"matchCriteriaId\":\"F18C920A-6E1F-4EDD-ABAF-701653079888\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:graalvm:20.3.3:*:*:*:enterprise:*:*:*\",\"matchCriteriaId\":\"53B2BB06-A2F7-4603-89C3-C8500E55483A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:graalvm:21.2.0:*:*:*:enterprise:*:*:*\",\"matchCriteriaId\":\"01E88C86-8C04-4A4A-BF45-9082AA783056\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.0.1.1\",\"matchCriteriaId\":\"B0F46497-4AB0-49A7-9453-CC26837BF253\"}]}]}],\"references\":[{\"url\":\"https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/npm/node-tar/commit/9dbdeb6df8e9dbd96fa9e84341b9d74734be6c20\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/npm/node-tar/security/advisories/GHSA-r628-mhmh-qjhw\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mitigation\",\"Third Party Advisory\"]},{\"url\":\"https://www.npmjs.com/advisories/1771\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mitigation\",\"Third Party Advisory\"]},{\"url\":\"https://www.npmjs.com/package/tar\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpuoct2021.html\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/npm/node-tar/commit/9dbdeb6df8e9dbd96fa9e84341b9d74734be6c20\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/npm/node-tar/security/advisories/GHSA-r628-mhmh-qjhw\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mitigation\",\"Third Party Advisory\"]},{\"url\":\"https://www.npmjs.com/advisories/1771\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mitigation\",\"Third Party Advisory\"]},{\"url\":\"https://www.npmjs.com/package/tar\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Product\",\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpuoct2021.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.