CVE Vulnerabilities

CVE-2018-20834

Improper Link Resolution Before File Access ('Link Following')

Published: Apr 30, 2019 | Modified: Nov 21, 2024
CVSS 3.x
7.5
HIGH
Source:
NVD
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVSS 2.x
6.4 MEDIUM
AV:N/AC:L/Au:N/C:N/I:P/A:P
RedHat/V2
RedHat/V3
8.8 IMPORTANT
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Ubuntu
MEDIUM

A vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content. A patch has been applied to node-tar v2.2.2).

Weakness

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

Affected Software

Name Vendor Start Version End Version
Node-tar Node-tar_project * 2.2.2 (excluding)
Node-tar Node-tar_project 3.0.0 (including) 4.4.2 (excluding)
Node-tar Ubuntu upstream *
Red Hat Software Collections for Red Hat Enterprise Linux 7 RedHat rh-nodejs8-nodejs-0:8.16.0-1.el7 *
Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS RedHat rh-nodejs8-nodejs-0:8.16.0-1.el7 *
Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS RedHat rh-nodejs8-nodejs-0:8.16.0-1.el7 *
Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS RedHat rh-nodejs8-nodejs-0:8.16.0-1.el7 *

Potential Mitigations

  • Follow the principle of least privilege when assigning access rights to entities in a software system.
  • Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.

References