what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 6 of 6 RSS Feed

CVE-2021-37712

Status Candidate

Overview

The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with names containing unicode values that normalized to the same value. Additionally, on Windows systems, long path portions would resolve to the same file system entities as their 8.3 "short path" counterparts. A specially crafted tar archive could thus include a directory with one form of the path, followed by a symbolic link with a different string that resolves to the same file system entity, followed by a file using the first form. By first creating a directory, and then replacing that directory with a symlink that had a different apparent name that resolved to the same entry in the filesystem, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-qq89-hq3f-393p.

Related Files

Red Hat Security Advisory 2022-4914-01
Posted Jun 7, 2022
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2022-4914-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include HTTP request smuggling and bypass vulnerabilities.

tags | advisory, web, javascript, vulnerability
systems | linux, redhat
advisories | CVE-2021-22959, CVE-2021-22960, CVE-2021-37701, CVE-2021-37712, CVE-2021-3918, CVE-2021-44531, CVE-2021-44532, CVE-2021-44533, CVE-2021-44906, CVE-2022-21824
SHA-256 | b43f0c89fd3414efa475d6ec07c2e68d3f66f12f846e7070d1966227905eca9d
Download | Favorite | View
Red Hat Security Advisory 2022-0350-04
Posted Feb 2, 2022
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2022-0350-04 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include HTTP request smuggling and denial of service vulnerabilities.

tags | advisory, web, denial of service, javascript, vulnerability
systems | linux, redhat
advisories | CVE-2020-28469, CVE-2020-7788, CVE-2021-22959, CVE-2021-22960, CVE-2021-33502, CVE-2021-37701, CVE-2021-37712, CVE-2021-3807, CVE-2021-3918
SHA-256 | 07cf30cab5cf210d32816cb8dbca0ff2d5ee3995e8c201686697cb9fca2bdbfd
Download | Favorite | View
Red Hat Security Advisory 2022-0246-04
Posted Jan 25, 2022
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2022-0246-04 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include HTTP request smuggling and denial of service vulnerabilities.

tags | advisory, web, denial of service, javascript, vulnerability
systems | linux, redhat
advisories | CVE-2020-28469, CVE-2020-7788, CVE-2021-22959, CVE-2021-22960, CVE-2021-33502, CVE-2021-37701, CVE-2021-37712, CVE-2021-3807, CVE-2021-3918
SHA-256 | ac685f0ee1416a81c17a3920f8990f34fd0bed2044d014166ed19445dfeee9de
Download | Favorite | View
Red Hat Security Advisory 2022-0041-02
Posted Jan 7, 2022
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2022-0041-02 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include HTTP request smuggling and denial of service vulnerabilities.

tags | advisory, web, denial of service, javascript, vulnerability
systems | linux, redhat
advisories | CVE-2021-22959, CVE-2021-22960, CVE-2021-37701, CVE-2021-37712, CVE-2021-3807, CVE-2021-3918
SHA-256 | a99fe197fc57400e20bfe23ee30166ab68528ec9bf0aa7cc6ad183163f65fef4
Download | Favorite | View
Red Hat Security Advisory 2021-5086-06
Posted Dec 14, 2021
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2021-5086-06 - Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Container Platform. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform. Issues addressed include a path sanitization vulnerability.

tags | advisory
systems | linux, redhat
advisories | CVE-2020-8565, CVE-2021-32803, CVE-2021-32804, CVE-2021-33195, CVE-2021-33197, CVE-2021-33198, CVE-2021-34558, CVE-2021-37701, CVE-2021-37712
SHA-256 | 774e5117e6048e40bc0540ccd8f805fad79e574958c9975e3e273b6f6ba3280c
Download | Favorite | View
Debian Security Advisory 5008-1
Posted Nov 28, 2021
Authored by Debian | Site debian.org

Debian Linux Security Advisory 5008-1 - It was discovered that the symlink extraction protections in node-tar, a Tar archives module for Node.js could by bypassed; allowing a malicious Tar archive to symlink into an arbitrary location.

tags | advisory, arbitrary
systems | linux, debian
advisories | CVE-2021-37701, CVE-2021-37712
SHA-256 | 915d1d41f05c7787a3911c04d0c5812980a9774de9b717719ea636a54be32acd
Download | Favorite | View
Page 1 of 1
Back1Next

File Archive:

December 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    11 Files
  • 2
    Dec 2nd
    0 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    32 Files
  • 5
    Dec 5th
    10 Files
  • 6
    Dec 6th
    13 Files
  • 7
    Dec 7th
    23 Files
  • 8
    Dec 8th
    19 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close