A vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content. A patch has been applied to node-tar v2.2.2).
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Node-tar | Node-tar_project | * | 2.2.2 (excluding) |
Node-tar | Node-tar_project | 3.0.0 (including) | 4.4.2 (excluding) |
Node-tar | Ubuntu | upstream | * |
Red Hat Software Collections for Red Hat Enterprise Linux 7 | RedHat | rh-nodejs8-nodejs-0:8.16.0-1.el7 | * |
Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS | RedHat | rh-nodejs8-nodejs-0:8.16.0-1.el7 | * |
Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS | RedHat | rh-nodejs8-nodejs-0:8.16.0-1.el7 | * |
Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS | RedHat | rh-nodejs8-nodejs-0:8.16.0-1.el7 | * |