ID CVE-2018-20834 Type cve Reporter cve@mitre.org Modified 2019-09-04T20:15:00
Description
A vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content. A patch has been applied to node-tar v2.2.2).
{"id": "CVE-2018-20834", "bulletinFamily": "NVD", "title": "CVE-2018-20834", "description": "A vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content. A patch has been applied to node-tar v2.2.2).", "published": "2019-04-30T19:29:00", "modified": "2019-09-04T20:15:00", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:P"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-20834", "reporter": "cve@mitre.org", "references": ["https://access.redhat.com/errata/RHSA-2019:1821", "https://github.com/npm/node-tar/commit/b0c58433c22f5e7fe8b1c76373f27e3f81dcd4c8", "https://hackerone.com/reports/344595", "https://github.com/npm/node-tar/compare/58a8d43...a5f7779", "https://github.com/npm/node-tar/commits/v2.2.2", "https://nvd.nist.gov/vuln/detail/CVE-2018-20834", "https://github.com/npm/node-tar/commit/7ecef07da6a9e72cc0c4d0c9c6a8e85b6b52395d"], "cvelist": ["CVE-2018-20834"], "type": "cve", "lastseen": "2020-12-09T20:25:40", "edition": 7, "viewCount": 11, "enchantments": {"dependencies": {"references": [{"type": "github", "idList": ["GHSA-J44M-QM6P-HP7M"]}, {"type": "redhat", "idList": ["RHSA-2019:1821"]}], "modified": "2020-12-09T20:25:40", "rev": 2}, "score": {"value": 2.6, "vector": "NONE", "modified": "2020-12-09T20:25:40", "rev": 2}, "vulnersScore": 2.6}, "cpe": [], "affectedSoftware": [{"cpeName": "node-tar_project:node-tar", "name": "node-tar project node-tar", "operator": "lt", "version": "4.4.2"}, {"cpeName": "node-tar_project:node-tar", "name": "node-tar project node-tar", "operator": "lt", "version": "2.2.2"}], "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.4, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, "cpe23": [], "cwe": ["CWE-59"], "scheme": null, "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:node-tar_project:node-tar:4.4.2:*:*:*:*:*:*:*", "versionEndExcluding": "4.4.2", "versionStartIncluding": "3.0.0", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:node-tar_project:node-tar:2.2.2:*:*:*:*:*:*:*", "versionEndExcluding": "2.2.2", "vulnerable": true}], "operator": "OR"}]}}
{"github": [{"lastseen": "2020-09-01T01:57:39", "bulletinFamily": "software", "cvelist": ["CVE-2018-20834"], "description": "Versions of `tar` prior to 4.4.2 for 4.x and 2.2.2 for 2.x are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink will overwrite the system's file with the contents of the extracted file.\n\n\n## Recommendation\n\nFor tar 4.x, upgrade to version 4.4.2 or later.\nFor tar 2.x, upgrade to version 2.2.2 or later.", "edition": 3, "modified": "2020-08-31T22:28:35", "published": "2019-05-01T18:37:31", "id": "GHSA-J44M-QM6P-HP7M", "href": "https://github.com/advisories/GHSA-j44m-qm6p-hp7m", "title": "Arbitrary File Overwrite in tar", "type": "github", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:P"}}], "redhat": [{"lastseen": "2019-08-13T18:46:51", "bulletinFamily": "unix", "cvelist": ["CVE-2018-12116", "CVE-2018-12121", "CVE-2018-12122", "CVE-2018-12123", "CVE-2018-20834", "CVE-2019-5737"], "description": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.\n\nThe following packages have been upgraded to a later upstream version: rh-nodejs8-nodejs (8.16.0). (BZ#1665986, BZ#1710734)\n\nSecurity Fix(es):\n\n* nodejs-tar: Arbitrary file overwrites when extracting tarballs containing a hard-link (CVE-2018-20834)\n\n* nodejs: HTTP request splitting (CVE-2018-12116)\n\n* nodejs: Denial of Service with large HTTP headers (CVE-2018-12121)\n\n* nodejs: Slowloris HTTP Denial of Service (CVE-2018-12122)\n\n* nodejs: Hostname spoofing in URL parser for javascript protocol (CVE-2018-12123)\n\n* nodejs: Insufficient Slowloris fix causing DoS via server.headersTimeout bypass (CVE-2019-5737)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2019-07-22T17:29:05", "published": "2019-07-22T17:09:06", "id": "RHSA-2019:1821", "href": "https://access.redhat.com/errata/RHSA-2019:1821", "type": "redhat", "title": "(RHSA-2019:1821) Important: rh-nodejs8-nodejs security update", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:P"}}]}
