Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
node-tar has Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in Extraction
Vulnerability Description
node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting user. Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive. This issue has been fixed in version 7.5.8.
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Vulnerability Type
对路径名的限制不恰当(路径遍历)
Vulnerability Title
node-tar 路径遍历漏洞
Vulnerability Description
node-tar是isaacs个人开发者的一款用于文件压缩/解压缩的软件包。 node-tar 7.5.7及之前版本存在路径遍历漏洞,该漏洞源于攻击者控制的归档文件可创建指向提取根目录外文件的硬链接,可能导致任意文件读写。
CVSS Information
N/A
Vulnerability Type
N/A