Versions of node-tar prior to 4.4.2 are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink will overwrite the system's file with the contents of the extracted file.
WS-2019-0047 - Medium Severity Vulnerability
tar-4.4.1.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-4.4.1.tgz
Dependency Hierarchy: - compiler-cli-5.2.10.tgz (Root Library) - chokidar-1.7.0.tgz - fsevents-1.2.4.tgz - node-pre-gyp-0.10.0.tgz - :x: **tar-4.4.1.tgz** (Vulnerable Library)
tar-2.2.1.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-2.2.1.tgz
Path to dependency file: /Turismo-Torrevieja/package.json
Path to vulnerable library: /tmp/git/Turismo-Torrevieja/node_modules/tar/package.json
Dependency Hierarchy: - cli-1.6.1.tgz (Root Library) - node-sass-4.7.2.tgz - node-gyp-3.6.2.tgz - :x: **tar-2.2.1.tgz** (Vulnerable Library)
Found in HEAD commit: 5fe809a2e7cf19f24da932e71d58c622ec363c70
Versions of node-tar prior to 4.4.2 are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink will overwrite the system's file with the contents of the extracted file.
Publish Date: 2019-04-05
URL: WS-2019-0047
Base Score Metrics not available
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/803
Release Date: 2019-04-05
Fix Resolution: 4.4.2
Step up your Open Source Security Game with WhiteSource here