HIGH 7.5

GHSA-j44m-qm6p-hp7m

Arbitrary File Overwrite in tar

Details

Versions of `tar` prior to 4.4.2 for 4.x and 2.2.2 for 2.x are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink will overwrite the system's file with the contents of the extracted file.

## Recommendation

For tar 4.x, upgrade to version 4.4.2 or later. For tar 2.x, upgrade to version 2.2.2 or later.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / tar

Introduced in: 3.0.0 Fixed in: 4.4.2

Fix npm install tar@4.4.2

npm / tar

Introduced in: 0 Fixed in: 2.2.2

Fix npm install tar@2.2.2

References

https://nvd.nist.gov/vuln/detail/CVE-2018-20834 [ADVISORY]
https://github.com/npm/node-tar/commit/7ecef07da6a9e72cc0c4d0c9c6a8e85b6b52395d [WEB]
https://github.com/npm/node-tar/commit/b0c58433c22f5e7fe8b1c76373f27e3f81dcd4c8 [WEB]
https://hackerone.com/reports/344595 [WEB]
https://access.redhat.com/errata/RHSA-2019:1821 [WEB]
https://github.com/isaacs/node-tar [PACKAGE]
https://github.com/npm/node-tar/commits/v2.2.2 [WEB]
https://github.com/npm/node-tar/compare/58a8d43...a5f7779 [WEB]