Plataforma
nodejs
Componente
tar
Corrigido em
4.4.17
5.0.1
6.0.1
4.4.16
CVE-2021-37701 is an Arbitrary File Access vulnerability discovered in the node-tar package. This flaw allows attackers to potentially create, overwrite, or even execute arbitrary code by exploiting how the package handles symbolic links within tar archives. The vulnerability arises from insufficient validation when extracting tar files containing both a directory and a symlink with the same name. A fix is available in version 4.4.16.
CVE-2021-37701 in node-tar allows for arbitrary file creation, arbitrary file overwriting, and arbitrary code execution. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contain specially crafted filenames. An attacker can leverage this to control the location of extracted files, even when attempting to prevent symbolic link traversal. This can lead to the creation or overwriting of files outside the intended destination directory, or even the execution of malicious code. The CVSS score is 8.2, indicating a high-severity risk.
This vulnerability is exploited by providing a malicious tar file to an application that uses node-tar to extract files. The tar file must be designed to manipulate filenames in a way that bypasses security checks and allows for the creation or overwriting of files outside the intended destination directory. Successful exploitation requires the application to have write permissions in the destination directory. An attacker could use this vulnerability to compromise system security, steal confidential data, or execute malicious code with the application's privileges.
Status do Exploit
EPSS
0.11% (percentil 30%)
Vetor CVSS
The primary mitigation for CVE-2021-37701 is to upgrade to version 4.4.16 or later of node-tar. This version corrects the vulnerability by improving path validation and handling during the tar extraction process. Additionally, carefully validate the source of tar files before extracting them, especially if they come from untrusted sources. Consider using malware scanning tools before extraction to help detect malicious tar files. Implementing strict access controls on the extraction destination directory can also limit the impact of a potential exploit.
Actualice el paquete 'tar' a la versión 4.4.16, 5.0.8 o 6.1.7, o superior. Esto solucionará la vulnerabilidad de creación/sobreescritura arbitraria de archivos debido a la protección insuficiente de enlaces simbólicos. Si está utilizando la versión 3, actualice a una versión más reciente.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
node-tar is a JavaScript library for Node.js that provides functionality for creating and extracting tar archives.
Upgrading to version 4.4.16 or later corrects a critical security vulnerability that could allow an attacker to compromise your system.
If you cannot update immediately, consider carefully validating the source of tar files and restricting write permissions in the destination directory.
If you are using a version of node-tar older than 4.4.16, you are likely vulnerable.
Yes, there are several malware scanning tools that can help detect malicious tar files.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.