Описание
An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package.
This issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.8.
A flaw was found in the tar-fs package for Node.js. In affected versions, unauthorized file writes or overwrites outside the intended extraction directory can occur when extracting a maliciously crafted tar file. The issue is associated with index.js in the tar-fs package.
Отчет
This vulnerability is rated as an important severity because it allows attackers to extract a malicious tar file that can write or overwrite files outside the intended directory. This occurs due to improper handling of link resolution and pathname limitations. The risk is high for systems that automatically extract tar files, as it can lead to data corruption or unauthorized file modifications without user interaction.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Ceph Storage 7 | ceph | Affected | ||
| Red Hat Ceph Storage 8 | ceph | Affected | ||
| Red Hat OpenShift Dev Spaces 3 Containers | devspaces/pluginregistry-rhel9 | Fixed | RHSA-2025:3932 | 16.04.2025 |
| Red Hat OpenShift Dev Spaces 3 Containers | devspaces/code-rhel9 | Fixed | RHSA-2025:8244 | 28.05.2025 |
| Red Hat OpenShift Dev Spaces 3 Containers | devspaces/configbump-rhel9 | Fixed | RHSA-2025:8244 | 28.05.2025 |
| Red Hat OpenShift Dev Spaces 3 Containers | devspaces/dashboard-rhel9 | Fixed | RHSA-2025:8244 | 28.05.2025 |
| Red Hat OpenShift Dev Spaces 3 Containers | devspaces/devspaces-operator-bundle | Fixed | RHSA-2025:8244 | 28.05.2025 |
| Red Hat OpenShift Dev Spaces 3 Containers | devspaces/devspaces-rhel9-operator | Fixed | RHSA-2025:8244 | 28.05.2025 |
| Red Hat OpenShift Dev Spaces 3 Containers | devspaces/imagepuller-rhel9 | Fixed | RHSA-2025:8244 | 28.05.2025 |
| Red Hat OpenShift Dev Spaces 3 Containers | devspaces/machineexec-rhel9 | Fixed | RHSA-2025:8244 | 28.05.2025 |
Показывать по
Дополнительная информация
Статус:
7.5 High
CVSS3
Связанные уязвимости
An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package. This issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.8.
An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package. This issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.8.
An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package. This issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.8.
An Improper Link Resolution Before File Access ("Link Following") and ...
tar-fs Vulnerable to Link Following and Path Traversal via Extracting a Crafted tar File
7.5 High
CVSS3