CVE-2021-32804
HIGH8.2EPSS 85.0%Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization
描述
### Impact Arbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution `node-tar` aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example `/home/user/.bashrc` would turn into `home/user/.bashrc`. This logic was insufficient when file paths contained repeated path roots such as `////home/user/.bashrc`. `node-tar` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. `///home/user/.bashrc`) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. ### Patches 3.2.2 || 4.4.14 || 5.0.6 || 6.1.1 NOTE: an adjacent issue [CVE-2021-32803](https://github.com/npm/node-tar/security/advisories/GHSA-r628-mhmh-qjhw) affects this release level. Please ensure you update to the latest patch levels that address CVE-2021-32803 as well if this adjacent issue affects your `node-tar` use case. ### Workarounds Users may work around this vulnerability without upgrading by creating a custom `onentry` method which sanitizes the `entry.path` or a `filter` method which removes entries with absolute paths. ```js const path = require('path') const tar = require('tar') tar.x({ file: 'archive.tgz', // either add this function... onentry: (entry) => { if (path.isAbsolute(entry.path)) { entry.path = sanitizeAbsolutePathSomehow(entry.path) entry.absolute = path.resolve(entry.path) } }, // or this one filter: (file, entry) => { if (path.isAbsolute(entry.path)) { return false } else { return true } } }) ``` Users are encouraged to upgrade to the latest patch versions, rather than attempt to sanitize tar input themselves.
受影響套件(3)
- Alpine/tarfrom 0, < 0
- Debian/node-tarfrom 0, < 6.0.5+ds1+~cs11.3.9-1+deb11u1
- npm/tarfrom 0, < 3.2.2
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.2 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N |
參考連結(10)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-32804
- ADVISORYhttps://security.alpinelinux.org/vuln/CVE-2021-32804
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2021-32804
- PATCHhttps://github.com/npm/node-tar
- WEBhttps://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
- WEBhttps://github.com/npm/node-tar/commit/1f036ca23f64a547bdd6c79c1a44bc62e8115da4
- WEBhttps://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9
- WEBhttps://www.npmjs.com/advisories/1770
- WEBhttps://www.npmjs.com/package/tar
- WEBhttps://www.oracle.com/security-alerts/cpuoct2021.html