CVE-2021-32804

Published on: 08/03/2021 12:00:00 AM UTC

Last Modified on: 12/03/2021 08:42:00 PM UTC

CVE-2021-32804 - advisory for GHSA-3jfq-g458-7qm9

Source: Mitre Source: Nist Print: PDF PDF
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

Certain versions of Graalvm from Oracle contain the following vulnerability:

The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example `/home/user/.bashrc` would turn into `home/user/.bashrc`. This logic was insufficient when file paths contained repeated path roots such as `////home/user/.bashrc`. `node-tar` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. `///home/user/.bashrc`) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom `onentry` method which sanitizes the `entry.path` or a `filter` method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar.

  • CVE-2021-32804 has been assigned by URL Logo [email protected] to track the vulnerability - currently rated as HIGH severity.
  • Affected Vendor/Software: URL Logo npm - node-tar version < 3.2.2
  • Affected Vendor/Software: URL Logo npm - node-tar version >= 4.0.0, < 4.4.14
  • Affected Vendor/Software: URL Logo npm - node-tar version >= 5.0.0, < 5.0.6
  • Affected Vendor/Software: URL Logo npm - node-tar version >= 6.0.0, < 6.1.1

CVSS3 Score: 8.1 - HIGH

Attack
Vector
Attack
Complexity
Privileges
Required
User
Interaction
NETWORK LOW NONE REQUIRED
Scope Confidentiality
Impact
Integrity
Impact
Availability
Impact
UNCHANGED NONE HIGH HIGH

CVSS2 Score: 5.8 - MEDIUM

Access
Vector
Access
Complexity
Authentication
NETWORK MEDIUM NONE
Confidentiality
Impact
Integrity
Impact
Availability
Impact
NONE PARTIAL PARTIAL

CVE References

Description Tags Link
Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization · Advisory · npm/node-tar · GitHub github.com
text/html
URL Logo CONFIRM github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9
Oracle Critical Patch Update Advisory - October 2021 www.oracle.com
text/html
URL Logo MISC www.oracle.com/security-alerts/cpuoct2021.html
tar - npm www.npmjs.com
text/html
URL Logo MISC www.npmjs.com/package/tar
Overview www.npmjs.com
text/html
URL Logo MISC www.npmjs.com/advisories/1770
fix: strip absolute paths more comprehensively · npm/[email protected] · GitHub github.com
text/html
URL Logo MISC github.com/npm/node-tar/commit/1f036ca23f64a547bdd6c79c1a44bc62e8115da4

Related QID Numbers

  • 159398 Oracle Enterprise Linux Security Update for nodejs:12 (ELSA-2021-3623)
  • 159408 Oracle Enterprise Linux Security Update for nodejs:14 (ELSA-2021-3666)
  • 239590 Red Hat Update for rh-nodejs12-nodejs and rh-nodejs12-nodejs-nodemon (RHSA-2021:3281)
  • 239591 Red Hat Update for rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon (RHSA-2021:3280)
  • 239645 Red Hat Update for nodejs:12 (RHSA-2021:3623)
  • 239654 Red Hat Update for nodejs:12 (RHSA-2021:3639)
  • 239655 Red Hat Update for nodejs:12 (RHSA-2021:3638)
  • 239658 Red Hat Update for nodejs:14 (RHSA-2021:3666)
  • 375828 Node.js Multiple Vulnerabilities (August 2021)
  • 376114 IBM Integration Bus Node.js Vulnerability (6515532,6516066)
  • 690030 Free Berkeley Software Distribution (FreeBSD) Security Update for node.js (7062bce0-1b17-11ec-9d9d-0022489ad614)
  • 91839 IBM Integration Bus Node.js Vulnerability (6515532,6516066)
  • 940217 AlmaLinux Security Update for nodejs:12 (ALSA-2021:3623)
  • 940388 AlmaLinux Security Update for nodejs:14 (ALSA-2021:3666)
  • 980366 Nodejs (npm) Security Update for tar (GHSA-3jfq-g458-7qm9)

Known Affected Configurations (CPE V2.3)

Type Vendor Product Version Update Edition Language
ApplicationOracleGraalvm20.3.3AllAllAll
ApplicationOracleGraalvm21.2.0AllAllAll
ApplicationTar ProjectTarAllAllAllAll
  • cpe:2.3:a:oracle:graalvm:20.3.3:*:*:*:enterprise:*:*:*:
  • cpe:2.3:a:oracle:graalvm:21.2.0:*:*:*:enterprise:*:*:*:
  • cpe:2.3:a:tar_project:tar:*:*:*:*:*:node.js:*:*:

Social Mentions

Source Title Posted (UTC)
Twitter Icon @LinInfoSec Npm - CVE-2021-32804: npmjs.com/advisories/1770 2021-08-03 21:10:13
Twitter Icon @_r_netsec Arbitrary file write in node tar - CVE-2021-32804 2021-08-04 16:13:07
Twitter Icon @Myinfosecfeed New post: "Arbitrary file write in node tar - CVE-2021-32804" ift.tt/3lsdbew 2021-08-04 16:48:22
Twitter Icon @0xdea Arbitrary file write in node tar - CVE-2021-32804 << ? https://t.co/lsOoMXInSk 2021-08-04 16:54:07
Twitter Icon @CybrXx0 Arbitrary file write in node tar - CVE-2021-32804 via /r/netsec ift.tt/3fwwEqG #cybersecurity #netsec #news 2021-08-04 16:59:51
Twitter Icon @ipssignatures I know no IPS that has a protection/signature/rule for the vulnerability CVE-2021-32804. The vuln was published 1 d… twitter.com/i/web/status/1… 2021-08-04 21:04:01
Twitter Icon @ipssignatures The vuln CVE-2021-32804 has a tweet created 0 days ago and retweeted 7 times. twitter.com/0xdea/status/1… #Snd7e2wn2ej5gg 2021-08-04 21:04:01
Twitter Icon @tais9 Node tar file write: NVD - CVE-2021-32804 2021-08-04 22:11:15
Twitter Icon @KeoXes Arbitrary file write in node tar - CVE-2021-32804: ift.tt/3lsdbew #follow & #RT #cybersecurity #infosec 2021-08-05 07:33:13
Twitter Icon @techadversary Arbitrary file write in node tar - CVE-2021-32804 reddit.com/r/netsec/comme… 2021-08-10 00:14:32
Reddit Logo Icon /r/netsec Arbitrary file write in node tar - CVE-2021-32804 2021-08-04 16:12:35
© CVE.report 2022 Twitter Nitter Twitter Viewer |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report