| Vulnerability Name: | CVE-2021-32804 (CCN-206719) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Assigned: | 2021-08-03 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Published: | 2021-08-03 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Updated: | 2022-04-25 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Summary: | The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example `/home/user/.bashrc` would turn into `home/user/.bashrc`. This logic was insufficient when file paths contained repeated path roots such as `////home/user/.bashrc`. `node-tar` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. `///home/user/.bashrc`) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom `onentry` method which sanitizes the `entry.path` or a `filter` method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| CVSS v3 Severity: | 8.1 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H) 7.1 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C)
7.1 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N/E:U/RL:O/RC:C)
7.1 High (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C)
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| CVSS v2 Severity: | 5.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:P)
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Vulnerability Type: | CWE-22 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Vulnerability Consequences: | Gain Access | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| References: | Source: MITRE Type: CNA CVE-2021-32804 Source: CONFIRM Type: Patch, Third Party Advisory https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf Source: XF Type: UNKNOWN nodejs-cve202132804-dir-traversal(206719) Source: MISC Type: Patch, Third Party Advisory https://github.com/npm/node-tar/commit/1f036ca23f64a547bdd6c79c1a44bc62e8115da4 Source: CONFIRM Type: Mitigation, Third Party Advisory https://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9 Source: CCN Type: IBM Security Bulletin 6492199 (Watson Discovery) IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Node.js Source: CCN Type: IBM Security Bulletin 6495155 (Cloud Pak for Automation) Multiple vulnerabilities in Node.js affect IBM Cloud Pak for Automation Source: CCN Type: IBM Security Bulletin 6507035 (App Connect Enterprise Certified Container) IBM App Connect Enterprise Certified Container may be vulnerable to directory traversal due to CVE-2021-32804 Source: CCN Type: IBM Security Bulletin 6507095 (Planning Analytics) IBM Planning Analytics Workspace is affected by security vulnerabilities Source: CCN Type: IBM Security Bulletin 6514833 (Cloud Pak for Multicloud Management) A security vulnerability in Node.js tar module affects IBM Cloud Pak for Multicloud Management Managed Services Source: CCN Type: IBM Security Bulletin 6515532 (Integration Bus) Vulnerabilities in Node.js affect IBM Integration Bus v10 (CVE-2021-32804) Source: CCN Type: IBM Security Bulletin 6573633 (QRadar Use Case Manager) IBM QRadar Use Case Manager app is vulnerable to using components with known vulnerabilities Source: CCN Type: IBM Security Bulletin 6575667 (Spectrum Discover) High severity vulnerabilities in libraries used by IBM Spectrum Discover (libraries of libraries) Source: CCN Type: IBM Security Bulletin 6589583 (QRadar Deployment Intelligence App) IBM QRadar Deployment Intelligence app for IBM QRadar SIEM is vulnerable to using components with known vulnerabilities Source: CCN Type: IBM Security Bulletin 6590981 (QRadar Data Synchronization App) IBM QRadar Data Synchronization App for IBM QRadar SIEM is vulnerable to using components with known vulnerabilities Source: CCN Type: IBM Security Bulletin 6612727 (Cloud Pak System Software) Multiple Vulnerabilities in Node.js affect IBM Cloud Pak System Source: CCN Type: IBM Security Bulletin 6616545 (Netcool Operations Insight) Netcool Operations Insight v1.6.5 contains fixes for multiple security vulnerabilities. Source: CCN Type: IBM Security Bulletin 6825871 (Tivoli Netcool/OMNIbus_GUI) Multiple vulnerabilities in React, webpack and Node.js modules affect Tivoli Netcool/OMNIbus WebGUI Source: CCN Type: IBM Security Bulletin 6830017 (QRadar Pulse App) QRadar Pulse application add on to IBM QRadar SIEM is vulnerable to using components with known vulnerabilities Source: CCN Type: IBM Security Bulletin 6956539 (MobileFirst Platform Foundation) Multiple vulnerabilities found with third-party libraries used by IBM MobileFirst Platform Source: CCN Type: IBM Security Bulletin 6967283 (QRadar User Behavior Analytics) IBM QRadar User Behavior Analytics is vulnerable to components with known vulnerabilities Source: CCN Type: IBM Security Bulletin 6991615 (Edge Application Manager) Open Source Dependency Vulnerability Source: CCN Type: IBM Security Bulletin 7008939 (Security Verify Governance) Multiple vulnerabilities fixed in IBM Security Verify Governance - Identity Manager Virtual Appliance Source: CCN Type: NPM Web site tar Source: MISC Type: Mitigation, Third Party Advisory https://www.npmjs.com/advisories/1770 Source: MISC Type: Product, Third Party Advisory https://www.npmjs.com/package/tar Source: MISC Type: Patch, Third Party Advisory https://www.oracle.com/security-alerts/cpuoct2021.html | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Vulnerable Configuration: | Configuration 1: Configuration 2: Configuration 3: Configuration RedHat 1: Configuration RedHat 2: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Oval Definitions | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| BACK | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||