Plattform
nodejs
Komponente
tar
Behoben in
2.0.0
CVE-2015-8860 describes an arbitrary file access vulnerability affecting versions of the tar utility prior to 2.0.0. This flaw allows attackers to write files outside the intended extraction directory by exploiting insufficient validation of symbolic links. The vulnerability impacts Node.js environments utilizing vulnerable tar versions and requires immediate attention to prevent potential data compromise.
An attacker can exploit this vulnerability to write arbitrary files to the system, potentially overwriting critical files or injecting malicious code. This could lead to complete system compromise, data exfiltration, or denial of service. The ability to write outside the extraction root significantly expands the attack surface, allowing attackers to target sensitive system directories. While the initial impact might seem limited to the extraction process, successful exploitation could provide a foothold for further attacks and lateral movement within the network.
CVE-2015-8860 has been publicly disclosed and a proof-of-concept may be available. While active exploitation campaigns are not widely reported, the ease of exploitation and potential impact make it a persistent risk. The vulnerability was published on 2017-10-24. It is not currently listed on CISA KEV.
Systems that rely on tar for archiving and data transfer are at risk, particularly those using older versions of the utility. This includes build servers, automated deployment pipelines, and any environment where tar archives are processed without proper validation. Shared hosting environments where users can upload and extract tar archives are also particularly vulnerable.
• linux / server:
find / -name 'tar' -version 2>/dev/null | grep 'tar \([0-9.]*\)'• linux / server:
journalctl -u tar | grep -i 'error' # Check for extraction errors related to symbolic links• generic web: Inspect tar archives received from external sources for suspicious symbolic links. Look for links that point outside of the expected extraction directory.
discovery
disclosure
patch
Exploit-Status
EPSS
0.37% (59% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2015-8860 is to upgrade to tar version 2.0.0 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing stricter file system permissions to limit the potential impact of a successful exploit. Additionally, carefully review any scripts or applications that utilize tar for extraction, ensuring that the extraction directory is properly validated and sanitized. There are no specific WAF or proxy rules that can directly address this vulnerability, as it resides within the tar utility itself.
Kein offizieller Patch verfügbar. Prüfe auf Workarounds oder überwache auf Updates.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2015-8860 is a vulnerability in tar versions before 2.0.0 that allows attackers to write files outside the intended extraction directory by exploiting symbolic link verification issues.
You are affected if you are using a version of tar older than 2.0.0. Check your tar version using tar --version.
Upgrade to tar version 2.0.0 or later to resolve this vulnerability. This fix properly validates symbolic link targets during extraction.
While no active campaigns have been definitively linked, public proof-of-concept exploits exist, increasing the risk of opportunistic exploitation.
Refer to the GNU tar project website for information and updates related to this vulnerability: https://www.gnu.org/software/tar/
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.