20 matches found
Security Bulletin: Astronomer with IBM is vulnerable to unrestricted filesystem writes due to the tar-fs package (CVE-2025-48387)
Summary Tar-fs is used by Astronomer with IBM as part of tar file processing. Vulnerability Details CVEID:CVE-2025-48387 DESCRIPTION: tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1.3, and 1.16.5 have an issue where an extract can write outside the specified dir...
Security Bulletin: IBM Maximo Application Suite - Monitor Component is vulnerable to tar-fs-1.16.4.tgz CVE-2025-48387
Summary IBM Maximo Application Suite - Monitor Component is vulnerable to tar-fs-1.16.4.tgz CVE-2025-48387. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2025-48387 DESCRIPTION: tar-fs provides filesystem bindings for tar-stream. Versio...
Security Bulletin: Security vulnerabilities were found in IBM Verify Identity Access Digital Credentials (CVE-2025-48387, CVE-2025-5889)
Summary Security vulnerabilities were addressed in IBM Verify Identity Access Digital Credentials Vulnerability Details CVEID:CVE-2025-48387 DESCRIPTION: tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1.3, and 1.16.5 have an issue where an extract can write outside...
CBL Mariner 2.0 Security Update: reaper (CVE-2025-48387)
The version of reaper installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2025-48387 advisory. - tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1.3, and 1.16.5 have an issue...
CVE-2025-48387 affecting package reaper for versions less than 3.1.1-19
CVE-2025-48387 affecting package reaper for versions less than 3.1.1-19. A patched version of the package is available...
Security Bulletin: Multiple Vulnerabilities in IBM Event Streams
Summary Multiple vulnerabilities were addressed in IBM Event Streams version 11.8.1. Vulnerability Details CVEID:CVE-2024-47554 DESCRIPTION: Uncontrolled Resource Consumption vulnerability in Apache Commons IO. The org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU...
Fedora: Security Advisory (FEDORA-2025-ad2565414f)
The remote host is missing an update for the SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
Fedora: Security Advisory (FEDORA-2025-732290e75c)
The remote host is missing an update for the SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
Fedora 41 : yarnpkg (2025-ad2565414f)
The remote Fedora 41 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2025-ad2565414f advisory. Fix CVE-2025-48387. Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus has not teste...
Fedora 42 : yarnpkg (2025-732290e75c)
The remote Fedora 42 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2025-732290e75c advisory. Fix CVE-2025-48387. Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus has not teste...
Debian: Security Advisory (DLA-4214-1)
The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
[SECURITY] [DLA 4214-1] node-tar-fs security update
------------------------------------------------------------------------- Debian LTS Advisory DLA-4214-1 [email protected] https://www.debian.org/lts/security/ Adrian Bunk June 11, 2025 https://wiki.debian.org/LTS -...
CVE-2025-48387 vulnerabilities
Vulnerabilities for packages: tileserver-gl, sqlpad, code-server, jitsucom-jitsu...
@capriza/far (>=0.1.2 <=2.4.2), @cobalt-engine/cobower (=2.0.0) +388 more potentially affected by CVE-2025-48387 via tar-fs (>=0.1.8 <=1.16.3)
tar-fs NPM version =0.1.8, =0.1.2, =6.0.3, =6.0.3, =6.0.3, =2.1.1, =0.10.2, =0.0.0-beta.1, =0.0.0-beta.1, =0.0.0-beta.1, =0.1.0, =0.1.0, =1.0.5, =1.1.2 - @elm-node/npm-scripts =1.0.0 - @hlsrules-test/fc-libreoffice =1.0.0 and more Source cves: CVE-2025-48387 Source advisory: OSV:GHSA-8CJ5-5RVV-WF...
007putra-my-bot (=1.1.1), 10bis-shufersal-automation (=1.0.0) +4988 more potentially affected by CVE-2025-48387 via tar-fs (>=2.0.0 <=2.1.2)
tar-fs NPM version =2.0.0, =0.2.0, =1.0.0, =1.0.0, =0.107.10, =1.19.19, =0.107.0, =0.107.0, =0.107.0, =0.69.0, =0.107.0, =0.97.1, =0.107.0, =0.107.0, =0.123.2 and more Source cves: CVE-2025-48387 Source advisory: OSV:GHSA-8CJ5-5RVV-WF4V...
CVE-2025-48387
tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1.3, and 1.16.5 have an issue where an extract can write outside the specified dir with a specific tarball. This has been patched in versions 3.0.9, 2.1.3, and 1.16.5. As a workaround, use the ignore option to ignore n...
org.webjars.npm:image-thumbnail (=1.0.15), org.webjars.npm:pkg-fetch (=3.4.2) +3 more potentially affected by CVE-2025-48387 via org.webjars.npm:tar-fs (=2.1.1)
org.webjars.npm:tar-fs MAVEN version =2.1.1 is affected by a known vulnerability. The following packages have a transitive dependency on org.webjars.npm:tar-fs and may be impacted: - org.webjars.npm:image-thumbnail =1.0.15 - org.webjars.npm:pkg-fetch =3.4.2 - org.webjars.npm:prebuild-install =7.1...
CVE-2025-48387 tar-fs has issue where extract can write outside the specified dir with a specific tarball
tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1.3, and 1.16.5 have an issue where an extract can write outside the specified dir with a specific tarball. This has been patched in versions 3.0.9, 2.1.3, and 1.16.5. As a workaround, use the ignore option to ignore n...
CVE-2025-48387
Summary of CVE-2025-48387 (tar-fs) : A path-traversal risk in tar-fs bindings for tar-stream affects releases prior to 3.0.9, 2.1.3, and 1.16.5, where extracting certain tarballs can write outside the intended directory. The issue has been fixed in 3.0.9, 2.1.3, and 1.16.5. As a workaround, you c...
CVE-2025-48387
tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1.3, and 1.16.5 have an issue where an extract can write outside the specified dir with a specific tarball. This has been patched in versions 3.0.9, 2.1.3, and 1.16.5. As a workaround, use the ignore option to ignore n...