Tar
CVE-2021-38511
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
1DescriptionNVD
An issue was discovered in the tar crate before 0.4.36 for Rust. When symlinks are present in a TAR archive, extraction can create arbitrary directories via .. traversal.
AnalysisAI
An issue was discovered in the tar crate before 0.4.36 for Rust. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-59. An issue was discovered in the tar crate before 0.4.36 for Rust. When symlinks are present in a TAR archive, extraction can create arbitrary directories via .. traversal. Affected products include: Tar Project Tar. Version information: before 0.4.36.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
Directory traversal vulnerability in the safer_name_suffix function in GNU tar 1.14 through 1.29 might allow remote atta
node-tar before version 7.5.7 contains a path traversal vulnerability where inconsistent path resolution between validat
Arbitrary file overwrite in node-tar before 7.5.10 lets a malicious tar archive write files outside the intended extract
Arbitrary file overwrite and symlink poisoning in the node-tar library (versions <= 7.5.2) lets a malicious tar archive
Path traversal in node-tar versions 7.5.7 and earlier allows local attackers to read and write arbitrary files outside t
node-tar is a Tar for Node.js. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authenti
Symlink poisoning via race condition in node-tar up to version 7.5.3 allows attackers to exploit Unicode normalization o
GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage during read access, which allows local users to c
The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite
The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite
The npm package "tar" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite a
GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step proc
Same weakness CWE-59 – Improper Link Resolution Before File Access
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today