Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nodejsAnonymousNODEJS:1781
HistoryAug 31, 2021 - 4:10 p.m.

Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization

2021-08-3116:10:27
Anonymous
www.npmjs.com
278
JSON

Overview

Impact

Arbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution

node-tar aims to guarantee that any file whose location would be outside of the extraction target directory is not extracted. This is, in part, accomplished by sanitizing absolute paths of entries within the archive, skipping archive entries that contain .. path portions, and resolving the sanitized paths against the extraction target directory.

This logic was insufficient on Windows systems when extracting tar files that contained a path that was not an absolute path, but specified a drive letter different from the extraction target, such as C:some\path. If the drive letter does not match the extraction target, for example D:\extraction\dir, then the result of path.resolve(extractionDirectory, entryPath) would resolve against the current working directory on the C: drive, rather than the extraction target directory.

Additionally, a .. portion of the path could occur immediately after the drive letter, such as C:../foo, and was not properly sanitized by the logic that checked for .. within the normalized and split portions of the path.

This only affects users of node-tar on Windows systems.

Patches

4.4.18 || 5.0.10 || 6.1.9

Workarounds

There is no reasonable way to work around this issue without performing the same path normalization procedures that node-tar now does.

Users are encouraged to upgrade to the latest patched versions of node-tar, rather than attempt to sanitize paths themselves.

Fix

The fixed versions strip path roots from all paths prior to being resolved against the extraction target folder, even if such paths are not โ€œabsoluteโ€.

Additionally, a path starting with a drive letter and then two dots, like c:../, would bypass the check for .. path portions. This is checked properly in the patched versions.

Finally, a defense in depth check is added, such that if the entry.absolute is outside of the extraction taret, and we are not in preservePaths:true mode, a warning is raised on that entry, and it is skipped. Currently, it is believed that this check is redundant, but it did catch some oversights in development.

Recommendation

Upgrade to versions 4.4.18, 5.0.10, 6.1.9 or later

References

Related

veracode 1
prion 1
github 2
osv 2
ibm 23
debiancve 1
ubuntucve 1
cve 1
redhatcve 1
alpinelinux 1
nessus 9
suse 4
altlinux 1
nodejsblog 1
freebsd 1
mageia 1
ics 1
oracle 1
veracode
veracode
Remote Code Execution (RCE)
2021-09-01 02:04:46
prion
prion
Remote code execution
2021-08-31 17:15:00
github
github
Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization
2021-08-31 16:05:05
GitHub security update: Vulnerabilities in tar and @npmcli/arborist
2021-09-08 16:00:32
osv
osv
Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization
2021-08-31 16:05:05
CVE-2021-37713
2021-08-31 17:15:08
ibm
ibm
Security Bulletin: Vulnerabilities in Node.js affect IBM Integration Bus v10 (CVE-2021-37713)
2021-12-02 18:18:20
Security Bulletin: Multiple vulnerabilities affect IBM Rationalยฎ Application Developer for WebSphereยฎ Software - September 2021
2021-11-16 19:44:59
Security Bulletin: A security vulnerability in Node.js tar module affects IBM Cloud Pak for Multicloud Management Managed Services
2021-11-09 18:09:48
debiancve
debiancve
CVE-2021-37713
2021-08-31 17:15:00
ubuntucve
ubuntucve
CVE-2021-37713
2021-08-31 00:00:00
cve
cve
CVE-2021-37713
2021-08-31 17:15:00
redhatcve
redhatcve
CVE-2021-37713
2021-12-16 16:50:36
alpinelinux
alpinelinux
CVE-2021-37713
2021-08-31 17:15:00
nessus
nessus
Node.js Multiple Vulnerabilities (August 31st 2021 Security Releases)
2021-10-19 00:00:00
SUSE SLES15 Security Update : nodejs14 (SUSE-SU-2021:3964-1)
2021-12-08 00:00:00
openSUSE 15 Security Update : nodejs12 (openSUSE-SU-2021:1574-1)
2021-12-17 00:00:00
suse
suse
Security update for nodejs14 (important)
2021-12-10 00:00:00
Security update for nodejs14 (important)
2021-12-07 00:00:00
Security update for nodejs12 (important)
2021-12-06 00:00:00
altlinux
altlinux
Security fix for the ALT Linux 10 package node version 14.17.6-alt1
2021-09-01 00:00:00
nodejsblog
nodejsblog
August 31 2021 Security Releases
2021-08-31 00:00:00
freebsd
freebsd
Node.js -- August 2021 Security Releases (2)
2021-08-31 00:00:00
mageia
mageia
Updated nodejs packages fix security vulnerability
2021-10-06 22:41:56
ics
ics
Siemens SINEC INS
2022-03-10 12:00:00
oracle
oracle
Oracle Critical Patch Update Advisory - October 2021
2021-10-19 00:00:00
JSON
Related for NODEJS:1781
veracode1prion1github2osv2ibm23debiancve1ubuntucve1cve1redhatcve1alpinelinux1nessus9suse4altlinux1nodejsblog1freebsd1mageia1ics1oracle1