Описание
A vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content. A patch has been applied to node-tar v2.2.2).
A flaw was found in nodejs-tar in versions prior to 4.4.2. An arbitrary file overwrite can occur when extracting tarballs containing a hard-link to a file that already exists in the system. Further, a file that matches the hard-link may overwrite the system's files with the contents of the extracted file. The highest threat from the vulnerability is to data confidentiality and integrity as well as system availability.
Отчет
In Red Hat OpenShift Logging the openshift-logging/kibana6-rhel8 container bundles many nodejs packages as a build time dependencies, including the tar package. The vulnerable nodejs tar package is not used in a way that makes this vulnerability exploitable, hence the impact to OpenShift Logging by this vulnerability is Low.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Logging Subsystem for Red Hat OpenShift | openshift-logging/kibana6-rhel8 | Not affected | ||
| Red Hat Enterprise Linux 8 | nodejs:10/nodejs | Not affected | ||
| Red Hat Mobile Application Platform 4 | nodejs-tar | Not affected | ||
| Red Hat OpenShift Container Platform 3.10 | kibana | Not affected | ||
| Red Hat OpenShift Container Platform 3.11 | kibana | Not affected | ||
| Red Hat OpenShift Container Platform 3.6 | kibana | Not affected | ||
| Red Hat OpenShift Container Platform 3.7 | kibana | Not affected | ||
| Red Hat OpenShift Container Platform 3.9 | kibana | Not affected | ||
| Red Hat OpenShift Container Platform 4 | kibana | Not affected | ||
| Red Hat Software Collections | rh-nodejs10-nodejs | Not affected |
Показывать по
Дополнительная информация
Статус:
8.8 High
CVSS3
Связанные уязвимости
A vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content. A patch has been applied to node-tar v2.2.2).
A vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content. A patch has been applied to node-tar v2.2.2).
A vulnerability was found in node-tar before version 4.4.2 (excluding ...
Уязвимость модуля node-tar библиотеки Node.js, позволяющая нарушителю заменить существующее содержимое файла
8.8 High
CVSS3