Описание
The tar package before 2.0.0 for Node.js allows remote attackers to write to arbitrary files via a symlink attack in an archive.
A flaw was found in the way nodejs-tar, a Node.js module for reading and writing of tar archives, handled symbolic links when processing NPM packages. An attacker could potentially use this flaw to rewrite arbitrary files on the system.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Software Collections | nodejs010-nodejs-tar | Affected |
Показывать по
10
Дополнительная информация
Статус:
Moderate
Дефект:
CWE-59
https://bugzilla.redhat.com/show_bug.cgi?id=1209501nodejs-tar: insecure processing of symbolic links during package processing
4.3 Medium
CVSS2
Связанные уязвимости
CVSS3: 7.5
ubuntu
больше 8 лет назад
The tar package before 2.0.0 for Node.js allows remote attackers to write to arbitrary files via a symlink attack in an archive.
CVSS3: 7.5
nvd
больше 8 лет назад
The tar package before 2.0.0 for Node.js allows remote attackers to write to arbitrary files via a symlink attack in an archive.
CVSS3: 7.5
debian
больше 8 лет назад
The tar package before 2.0.0 for Node.js allows remote attackers to wr ...
4.3 Medium
CVSS2