Arbitrary File Overwrite

Affecting tar-fs package, versions <1.16.2

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

tar-fs is a filesystem bindings for tar-stream.

Affected versions of this package are vulnerable to Arbitrary File Overwrite. An attacker can overwrite files on the system when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content.

Remediation

Upgrade tar-fs to version 1.16.2 or higher.

References

CVSS Score

4.8
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    None
  • Integrity
    Low
  • Availability
    Low
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
Credit
Unknown
CVE
CVE-2018-20835
CWE
CWE-59
Snyk ID
SNYK-JS-TARFS-174556
Disclosed
30 Apr, 2019
Published
01 May, 2019