{ "schema_version": "1.4.0", "id": "GHSA-3jfq-g458-7qm9", "modified": "2021-08-30T23:14:50Z", "published": "2021-08-03T19:06:36Z", "aliases": [ "CVE-2021-32804" ], "summary": "Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization", "details": "### Impact\n\nArbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution\n\n`node-tar` aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example `/home/user/.bashrc` would turn into `home/user/.bashrc`. \n\nThis logic was insufficient when file paths contained repeated path roots such as `////home/user/.bashrc`. `node-tar` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. `///home/user/.bashrc`) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. \n\n### Patches\n\n3.2.2 || 4.4.14 || 5.0.6 || 6.1.1\n\nNOTE: an adjacent issue [CVE-2021-32803](https://github.com/npm/node-tar/security/advisories/GHSA-r628-mhmh-qjhw) affects this release level. Please ensure you update to the latest patch levels that address CVE-2021-32803 as well if this adjacent issue affects your `node-tar` use case.\n\n### Workarounds\n\nUsers may work around this vulnerability without upgrading by creating a custom `onentry` method which sanitizes the `entry.path` or a `filter` method which removes entries with absolute paths.\n\n```js\nconst path = require('path')\nconst tar = require('tar')\n\ntar.x({\n file: 'archive.tgz',\n // either add this function...\n onentry: (entry) => {\n if (path.isAbsolute(entry.path)) {\n entry.path = sanitizeAbsolutePathSomehow(entry.path)\n entry.absolute = path.resolve(entry.path)\n }\n },\n\n // or this one\n filter: (file, entry) => {\n if (path.isAbsolute(entry.path)) {\n return false\n } else {\n return true\n }\n }\n})\n```\n\nUsers are encouraged to upgrade to the latest patch versions, rather than attempt to sanitize tar input themselves.", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" } ], "affected": [ { "package": { "ecosystem": "npm", "name": "tar" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "3.2.2" } ] } ] }, { "package": { "ecosystem": "npm", "name": "tar" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "4.0.0" }, { "fixed": "4.4.14" } ] } ] }, { "package": { "ecosystem": "npm", "name": "tar" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "5.0.0" }, { "fixed": "5.0.6" } ] } ] }, { "package": { "ecosystem": "npm", "name": "tar" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "6.0.0" }, { "fixed": "6.1.1" } ] } ] } ], "references": [ { "type": "WEB", "url": "https://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32804" }, { "type": "WEB", "url": "https://github.com/npm/node-tar/commit/1f036ca23f64a547bdd6c79c1a44bc62e8115da4" }, { "type": "WEB", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf" }, { "type": "PACKAGE", "url": "https://github.com/npm/node-tar" }, { "type": "WEB", "url": "https://www.npmjs.com/advisories/1770" }, { "type": "WEB", "url": "https://www.npmjs.com/package/tar" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" } ], "database_specific": { "cwe_ids": [ "CWE-22" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2021-08-03T19:06:15Z", "nvd_published_at": "2021-08-03T19:15:00Z" } }