What is CVE-2021-32803?

CVE-2021-32803 is a vulnerability in the node-tar package that allows a local attacker to traverse directories on the system by exploiting insufficient symlink protection.

What is the severity of CVE-2021-32803?

The severity of CVE-2021-32803 is high with a CVSS score of 8.1.

How does CVE-2021-32803 affect the node-tar package?

CVE-2021-32803 affects the npm package "tar" (aka node-tar) versions before 6.1.2, 5.0.7, 4.4.15, and 3.2.3.

How can I fix CVE-2021-32803?

To fix CVE-2021-32803, you need to update the node-tar package to version 6.1.2, 5.0.7, 4.4.15, or 3.2.3.

Where can I find more information about CVE-2021-32803?

You can find more information about CVE-2021-32803 on the following references: npmjs.com, GitHub advisory GHSA-r628-mhmh-qjhw, and the GitHub commit 9dbdeb6df8e9dbd96fa9e84341b9d74734be6c20.

Vulnerability/
CVE-2021-32803

high

8.2

CWE

22 23 59

3/8/2021

26/1/2024

CVE-2021-32803: Path Traversal

First published: Tue Aug 03 2021(Updated: )

### Impact Arbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution `node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary `stat` calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the `node-tar` directory cache. When a directory is present in the directory cache, subsequent calls to mkdir for that directory are skipped. However, this is also where `node-tar` checks for symlinks occur. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass `node-tar` symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.3, 4.4.15, 5.0.7 and 6.1.2. ### Patches 3.2.3 || 4.4.15 || 5.0.7 || 6.1.2 ### Workarounds Users may work around this vulnerability without upgrading by creating a custom `filter` method which prevents the extraction of symbolic links. ```js const tar = require('tar') tar.x({ file: 'archive.tgz', filter: (file, entry) => { if (entry.type === 'SymbolicLink') { return false } else { return true } } }) ``` Users are encouraged to upgrade to the latest patch versions, rather than attempt to sanitize tar input themselves.

Credit: security-advisories@github.com security-advisories@github.com

Affected Software	Affected Version	How to fix
redhat/rh-nodejs14-nodejs	<0:14.17.5-1.el7	0:14.17.5-1.el7
redhat/rh-nodejs12-nodejs	<0:12.22.5-1.el7	0:12.22.5-1.el7
redhat/rh-nodejs12-nodejs-nodemon	<0:2.0.3-5.el7	0:2.0.3-5.el7
Tar Project Tar	<3.2.3
Tar Project Tar	>=4.0.0<4.4.15
Tar Project Tar	>=5.0.0<5.0.7
Tar Project Tar	>=6.0.0<6.1.2
Oracle GraalVM	=20.3.3
Oracle GraalVM	=21.2.0
Siemens Sinec Infrastructure Network Services	<1.0.1.1
IBM Cloud Pak for Security	<=1.10.0.0 - 1.10.11.0
IBM QRadar Suite Software	<=1.10.12.0 - 1.10.16.0
redhat/nodejs-tar	<3.2.3	3.2.3
redhat/nodejs-tar	<4.4.15	4.4.15
redhat/nodejs-tar	<5.0.7	5.0.7
redhat/nodejs-tar	<6.1.2	6.1.2
npm/tar	>=3.0.0<3.2.3	3.2.3
npm/tar	>=6.0.0<6.1.2	6.1.2
npm/tar	>=5.0.0<5.0.7	5.0.7
npm/tar	>=4.0.0<4.4.15	4.4.15

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

What is CVE-2021-32803?
CVE-2021-32803 is a vulnerability in the node-tar package that allows a local attacker to traverse directories on the system by exploiting insufficient symlink protection.
What is the severity of CVE-2021-32803?
The severity of CVE-2021-32803 is high with a CVSS score of 8.1.
How does CVE-2021-32803 affect the node-tar package?
CVE-2021-32803 affects the npm package "tar" (aka node-tar) versions before 6.1.2, 5.0.7, 4.4.15, and 3.2.3.
How can I fix CVE-2021-32803?
To fix CVE-2021-32803, you need to update the node-tar package to version 6.1.2, 5.0.7, 4.4.15, or 3.2.3.
Where can I find more information about CVE-2021-32803?
You can find more information about CVE-2021-32803 on the following references: npmjs.com, GitHub advisory GHSA-r628-mhmh-qjhw, and the GitHub commit 9dbdeb6df8e9dbd96fa9e84341b9d74734be6c20.

collector/redhat-cve
collector/nvd-index
collector/ibm-support
agent/author
agent/type
agent/first-publish-date
agent/remedy
agent/weakness
agent/references
agent/severity
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2021-32803
agent/software-canonical-lookup
collector/github-advisory-latest
source/GitHub
alias/GHSA-r628-mhmh-qjhw
agent/last-modified-date
agent/description
agent/softwarecombine
agent/tags
agent/event
collector/nvd-cve
source/NVD
collector/github-advisory
package-manager/redhat
vendor/tar project
canonical/tar project tar
version/tar project tar/4.0.0
version/tar project tar/5.0.0
version/tar project tar/6.0.0
vendor/oracle
canonical/oracle graalvm
version/oracle graalvm/20.3.3
version/oracle graalvm/21.2.0
vendor/siemens
canonical/siemens sinec infrastructure network services
vendor/ibm
canonical/ibm cloud pak for security
version/ibm cloud pak for security/1.10.0.0 - 1.10.11.0
canonical/ibm qradar suite software
version/ibm qradar suite software/1.10.12.0 - 1.10.16.0
package-manager/npm