漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Compressing Vulnerable to Arbitrary File Write via Symlink Extraction
Vulnerability Description
Compressing is a compressing and uncompressing lib for node. In version 2.0.0 and 1.10.3 and prior, Compressing extracts TAR archives while restoring symbolic links without validating their targets. By embedding symlinks that resolve outside the intended extraction directory, an attacker can cause subsequent file entries to be written to arbitrary locations on the host file system. Depending on the extractor’s handling of existing files, this behavior may allow overwriting sensitive files or creating new files in security-critical locations. This issue has been patched in versions 1.10.4 and 2.0.1.
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vulnerability Type
在文件访问前对链接解析不恰当(链接跟随)
Vulnerability Title
compressing 后置链接漏洞
Vulnerability Description
compressing是node_modules开源的一个压缩和解压缩工具库。 Compressing 1.10.3及之前版本和2.0.0版本存在后置链接漏洞,该漏洞源于提取TAR归档时未验证符号链接目标,可能导致任意文件写入。
CVSS Information
N/A
Vulnerability Type
N/A