Описание
node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the path-reservations system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g., ß and ss), allowing them to be processed in parallel. This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning attacks via race conditions. The library uses a PathReservations system to ensure that metadata checks and file operations for the same path are serialized. This prevents race conditions where one entry might clobber another concurrently. This is a Race Condition which enables Arbitrary File Overwrite. This vulnerability affects users and systems using node-tar on macOS (APFS/HFS+). Because of using NFD Unicode normalization (in which ß and ss are different), conflicting paths do not have their order properly preserved under filesystems that ignore Unicode normalization (e.g., APFS (in which ß causes an inode collision with ss)). This enables an attacker to circumvent internal parallelization locks (PathReservations) using conflicting filenames within a malicious tar archive. The patch in version 7.5.4 updates path-reservations.js to use a normalization form that matches the target filesystem's behavior (e.g., NFKD), followed by first toLocaleLowerCase('en') and then toLocaleUpperCase('en'). As a workaround, users who cannot upgrade promptly, and who are programmatically using node-tar to extract arbitrary tarball data should filter out all SymbolicLink entries (as npm does) to defend against arbitrary file writes via this file system entry name collision issue.
A flaw was found in node-tar, a library for Node.js. This race condition vulnerability occurs due to incomplete handling of Unicode path collisions within the path-reservations system on case-insensitive filesystems, such as macOS APFS. A remote attacker can exploit this by providing a specially crafted tar archive containing filenames that cause these collisions, bypassing internal concurrency safeguards. Successful exploitation can lead to arbitrary file overwrite.
Отчет
This vulnerability is rated Important for Red Hat products. The node-tar library is susceptible to a race condition due to incomplete handling of Unicode path collisions, which can lead to arbitrary file overwrites via symlink poisoning. However, this issue primarily affects case-insensitive or normalization-insensitive filesystems. Red Hat Enterprise Linux and other Red Hat products typically utilize case-sensitive filesystems, which may limit the direct impact of this flaw in default configurations.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Confidential Compute Attestation | openshift-sandboxed-containers/osc-pccs | Affected | ||
| Cryostat 4 | io.cryostat-cryostat | Not affected | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/kibana6-rhel8 | Will not fix | ||
| Migration Toolkit for Containers | rhmtc/openshift-migration-ui-rhel8 | Affected | ||
| Multicluster Engine for Kubernetes | multicluster-engine/console-mce-rhel8 | Not affected | ||
| Multicluster Engine for Kubernetes | multicluster-engine/console-mce-rhel9 | Not affected | ||
| Network Observability Operator | network-observability/network-observability-console-plugin-rhel9 | Affected | ||
| Node HealthCheck Operator | workload-availability/node-remediation-console-rhel9 | Not affected | ||
| OpenShift Lightspeed | openshift-lightspeed/lightspeed-to-dataverse-exporter-rhel9 | Will not fix | ||
| OpenShift Pipelines | openshift-pipelines/pipelines-console-plugin-rhel8 | Will not fix |
Показывать по
Дополнительная информация
Статус:
8.8 High
CVSS3
Связанные уязвимости
node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the `path-reservations` system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g., `ß` and `ss`), allowing them to be processed in parallel. This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning attacks via race conditions. The library uses a `PathReservations` system to ensure that metadata checks and file operations for the same path are serialized. This prevents race conditions where one entry might clobber another concurrently. This is a Race Condition which enables Arbitrary File Overwrite. This vulnerability affects users and systems using node-tar on macOS (APFS/HFS+). Because of using `NFD` Unicode normalization (in which `ß` and `ss` are different), conflicting ...
node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the `path-reservations` system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g., `ß` and `ss`), allowing them to be processed in parallel. This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning attacks via race conditions. The library uses a `PathReservations` system to ensure that metadata checks and file operations for the same path are serialized. This prevents race conditions where one entry might clobber another concurrently. This is a Race Condition which enables Arbitrary File Overwrite. This vulnerability affects users and systems using node-tar on macOS (APFS/HFS+). Because of using `NFD` Unicode normalization (in which `ß` and `ss` are different), conflicting pat
node-tar,a Tar for Node.js, has a race condition vulnerability in vers ...
Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS
Уязвимость библиотеки node-tar программной платформы Node.js, позволяющая нарушителю получить доступ на изменение и запись произвольных файлов
8.8 High
CVSS3