Skip to main content

Tar CVE-2018-20482

MEDIUM
Loop with Unreachable Exit Condition (Infinite Loop) (CWE-835)
2018-12-26 cve@mitre.org
4.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.7 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
CVE Published
Dec 26, 2018 - 18:29 nvd
MEDIUM 4.7

DescriptionNVD

GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage during read access, which allows local users to cause a denial of service (infinite read loop in sparse_dump_region in sparse.c) by modifying a file that is supposed to be archived by a different user's process (e.g., a system backup running as root).

AnalysisAI

GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage during read access, which allows local users to cause a denial of service (infinite read loop in sparse_dump_region in sparse.c). Rated medium severity (CVSS 4.7). Public exploit code available.

Technical ContextAI

This vulnerability is classified under CWE-835. GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage during read access, which allows local users to cause a denial of service (infinite read loop in sparse_dump_region in sparse.c) by modifying a file that is supposed to be archived by a different user's process (e.g., a system backup running as root). Affected products include: Gnu Tar, Debian Debian Linux, Opensuse Leap. Version information: through 1.30.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

More in Tar

View all
CVE-2016-6321 HIGH POC
7.5 Dec 09

Directory traversal vulnerability in the safer_name_suffix function in GNU tar 1.14 through 1.29 might allow remote atta

CVE-2026-24842 HIGH POC
8.2 Jan 28

node-tar before version 7.5.7 contains a path traversal vulnerability where inconsistent path resolution between validat

CVE-2026-29786 HIGH POC
8.2 Mar 07

Arbitrary file overwrite in node-tar before 7.5.10 lets a malicious tar archive write files outside the intended extract

CVE-2026-23745 HIGH POC
8.2 Jan 16

Arbitrary file overwrite and symlink poisoning in the node-tar library (versions <= 7.5.2) lets a malicious tar archive

CVE-2021-38511 HIGH POC
7.5 Aug 10

An issue was discovered in the tar crate before 0.4.36 for Rust. Rated high severity (CVSS 7.5), this vulnerability is r

CVE-2026-26960 HIGH POC
7.1 Feb 20

Path traversal in node-tar versions 7.5.7 and earlier allows local attackers to read and write arbitrary files outside t

CVE-2024-28863 MEDIUM POC
6.5 Mar 21

node-tar is a Tar for Node.js. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authenti

CVE-2026-23950 MEDIUM POC
5.9 Jan 20

Symlink poisoning via race condition in node-tar up to version 7.5.3 allows attackers to exploit Unicode normalization o

CVE-2021-37713 HIGH
8.6 Aug 31

The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite

CVE-2021-37712 HIGH
8.6 Aug 31

The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite

CVE-2021-37701 HIGH
8.6 Aug 31

The npm package "tar" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite a

CVE-2025-45582 MEDIUM POC
4.1 Jul 11

GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step proc

Share

CVE-2018-20482 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy