GHSA-j44m-qm6p-hp7m
Suggest an improvement- Source
- https://github.com/advisories/GHSA-j44m-qm6p-hp7m
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/05/GHSA-j44m-qm6p-hp7m/GHSA-j44m-qm6p-hp7m.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-j44m-qm6p-hp7m
- Aliases
- Published
- 2019-05-01T18:37:31Z
- Modified
- 2023-11-29T22:25:48Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
- Summary
- Arbitrary File Overwrite in tar
- Details
-
Versions of
tarprior to 4.4.2 for 4.x and 2.2.2 for 2.x are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink will overwrite the system's file with the contents of the extracted file.Recommendation
For tar 4.x, upgrade to version 4.4.2 or later. For tar 2.x, upgrade to version 2.2.2 or later.
- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2018-20834
- https://github.com/npm/node-tar/commit/7ecef07da6a9e72cc0c4d0c9c6a8e85b6b52395d
- https://github.com/npm/node-tar/commit/b0c58433c22f5e7fe8b1c76373f27e3f81dcd4c8
- https://hackerone.com/reports/344595
- https://access.redhat.com/errata/RHSA-2019:1821
- https://github.com/isaacs/node-tar
- https://github.com/npm/node-tar/commits/v2.2.2
- https://github.com/npm/node-tar/compare/58a8d43...a5f7779
Affected packages
npm / tar
Package
- Name
- tar
- View open source insights on deps.dev
- Purl
- pkg:npm/tar
npm / tar
Package
- Name
- tar
- View open source insights on deps.dev
- Purl
- pkg:npm/tar