Symlink File Overwrite in tar

Do your applications use this vulnerable package? Test your applications

Overview

tar is a full-featured Tar for Node.js.

Affected versions of this package are vulnerable to Symlink File Overwrite. It does not properly normalize symbolic links pointing to targets outside the extraction root. As a result, packages may hold symbolic links to parent and sibling directories and overwrite those files when the package is extracted.

Remediation

Upgrade tar to version 2.0.0 or higher.

References

GitHub Commit
GitHub Release

Snyk patch available for versions:

<2.0.0 >=0.1.13
View patch
<0.1.13 >0.0.1
View patch

Attack Vector

Network
Attack Complexity

Low
Privileges Required

None
User Interaction

None
Scope

Unchanged
Confidentiality

None
Integrity

High
Availability

None

Credit: Tim Cuthbertson
CVE: CVE-2015-8860
CWE: CWE-208
Snyk ID: npm:tar:20151103
Disclosed: 03 Nov, 2015
Published: 06 Nov, 2015

Symlink File Overwrite
Affecting tar package, versions >0.0.1 <2.0.0

Overview

Remediation

References

Snyk patch available for versions:

CVSS Score

Symlink File Overwrite Affecting tar package, versions >0.0.1 <2.0.0

Overview

Remediation

References

Snyk patch available for versions:

Symlink File Overwrite
Affecting tar package, versions >0.0.1 <2.0.0