Severity
6.3
Medium severity
Details
- CVSS score
- 6.3
- CVSS vector
- CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
- CWE ID
Overview
About vulnerability
node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This issue has been patched in version 7.5.10.Details
- Affected product:
- Acorn , AlmaLinux 9.2 ESU , Alpine Linux 3.18 ELS , Amazon Linux 2 ELS , CentOS 6 ELS , CentOS 7 ELS , CentOS 8.4 ELS , CentOS 8.5 ELS , CentOS Stream 8 ELS , CloudLinux 7 ELS , Debian 10 ELS , Next.js , Node.js , Oracle Linux 6 ELS , Oracle Linux 7 ELS , RHEL 7 ELS , React , TuxCare 9.6 ESU , Ubuntu 16.04 ELS , Ubuntu 18.04 ELS , Ubuntu 20.04 ELS , c12 , cacache , giget , libcipm , libnpm , make-fetch-happen , ng-packagr , npm , npm-lifecycle , nuxt , pacote , pdfjs-dist , protractor , remix , sass-loader , storybook , tar , terser-webpack-plugin , webdriver-manager
- Affected packages:
- tar (+152 more)