Описание
node-tar is a Tar for Node.js. In 7.5.1, using .t (aka .list) with { sync: true } to read tar entry contents returns uninitialized memory contents if tar file was changed on disk to a smaller size while being read. This vulnerability is fixed in 7.5.2.
A flaw was found in node-tar, a Tar utility for Node.js. This vulnerability allows a local attacker to potentially disclose sensitive information. When the .t (or .list) function is used with { sync: true } to read tar entry contents, and the tar file is concurrently modified on disk to a smaller size, the function may return uninitialized memory contents. This could lead to the exposure of arbitrary data.
Отчет
This vulnerability is rated Moderate for Red Hat products because it affects node-tar when synchronously reading tar entry contents from a file that is concurrently modified to a smaller size. This race condition can lead to the exposure of uninitialized memory. Exploitation requires an attacker to control the tar file and time its modification during a synchronous read operation.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Confidential Compute Attestation | openshift-sandboxed-containers/osc-pccs | Fix deferred | ||
| Cryostat 4 | io.cryostat-cryostat | Fix deferred | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/kibana6-rhel8 | Fix deferred | ||
| Migration Toolkit for Containers | rhmtc/openshift-migration-ui-rhel8 | Fix deferred | ||
| Multicluster Engine for Kubernetes | multicluster-engine/console-mce-rhel8 | Fix deferred | ||
| Multicluster Engine for Kubernetes | multicluster-engine/console-mce-rhel9 | Fix deferred | ||
| Network Observability Operator | network-observability/network-observability-console-plugin-rhel9 | Fix deferred | ||
| Node HealthCheck Operator | workload-availability/node-remediation-console-rhel9 | Fix deferred | ||
| OpenShift Lightspeed | openshift-lightspeed/lightspeed-to-dataverse-exporter-rhel9 | Fix deferred | ||
| OpenShift Pipelines | openshift-pipelines/pipelines-console-plugin-rhel8 | Fix deferred |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
EPSS
4.7 Medium
CVSS3
Связанные уязвимости
node-tar is a Tar for Node.js. In 7.5.1, using .t (aka .list) with { sync: true } to read tar entry contents returns uninitialized memory contents if tar file was changed on disk to a smaller size while being read. This vulnerability is fixed in 7.5.2.
node-tar is a Tar for Node.js. In 7.5.1, using .t (aka .list) with { sync: true } to read tar entry contents returns uninitialized memory contents if tar file was changed on disk to a smaller size while being read. This vulnerability is fixed in 7.5.2.
node-tar is a Tar for Node.js. In 7.5.1, using .t (aka .list) with { s ...
node-tar has a race condition leading to uninitialized memory exposure
Уязвимость библиотеки node-tar программной платформы Node.js, позволяющая нарушителю раскрыть защищаемую информацию
EPSS
4.7 Medium
CVSS3