Vulnerability Name:

CVE-2021-37713 (CCN-208451)

Assigned:2021-08-31
Published:2021-08-31
Updated:2022-04-25
Summary:The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be outside of the extraction target directory is not extracted. This is, in part, accomplished by sanitizing absolute paths of entries within the archive, skipping archive entries that contain `..` path portions, and resolving the sanitized paths against the extraction target directory. This logic was insufficient on Windows systems when extracting tar files that contained a path that was not an absolute path, but specified a drive letter different from the extraction target, such as `C:some\path`. If the drive letter does not match the extraction target, for example `D:\extraction\dir`, then the result of `path.resolve(extractionDirectory, entryPath)` would resolve against the current working directory on the `C:` drive, rather than the extraction target directory. Additionally, a `..` portion of the path could occur immediately after the drive letter, such as `C:../foo`, and was not properly sanitized by the logic that checked for `..` within the normalized and split portions of the path. This only affects users of `node-tar` on Windows systems. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. There is no reasonable way to work around this issue without performing the same path normalization procedures that node-tar now does. Users are encouraged to upgrade to the latest patched versions of node-tar, rather than attempt to sanitize paths themselves.
CVSS v3 Severity:8.6 High (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)
7.5 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
8.2 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)
7.1 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): None
CVSS v2 Severity:4.4 Medium (CVSS v2 Vector: AV:L/AC:M/Au:N/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
6.2 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:C/I:C/A:N)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): None
Vulnerability Type:CWE-22
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2021-37713

Source: CONFIRM
Type: Patch, Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf

Source: XF
Type: UNKNOWN
nodejs-cve202137713-code-exec(208451)

Source: CCN
Type: GitHub Web site
Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization

Source: CONFIRM
Type: Patch, Third Party Advisory
https://github.com/npm/node-tar/security/advisories/GHSA-5955-9wpr-37jh

Source: CCN
Type: Node.js Blog, 2021-08-31
August 31 2021 Security Releases

Source: CCN
Type: IBM Security Bulletin 6492199 (Watson Discovery)
IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Node.js

Source: CCN
Type: IBM Security Bulletin 6509088 (InfoSphere Information Server)
IBM InfoSphere Information Server is affected by multiple vulnerabilities in Node.js

Source: CCN
Type: IBM Security Bulletin 6514805 (Cloud Pak for Multicloud Management)
A security vulnerability in Node.js tar module affects IBM Cloud Pak for Multicloud Management Managed Services

Source: CCN
Type: IBM Security Bulletin 6516788 (Rational Application Developer for WebSphere Software)
Multiple vulnerabilities affect IBM Rational Application Developer for WebSphere Software - September 2021

Source: CCN
Type: IBM Security Bulletin 6517470 (Planning Analytics)
IBM Planning Analytics Workspace is affected by security vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6522970 (Integration Bus)
Vulnerabilities in Node.js affect IBM Integration Bus v10 (CVE-2021-37713)

Source: CCN
Type: IBM Security Bulletin 6525674 (Rational Developer for i)
Multiple vulnerabilities in Node.js affect IBM Rational Application Developer for WebSphere Software included in Rational Developer for i

Source: CCN
Type: IBM Security Bulletin 6541298 (Cloud Pak for Automation)
Multiple security vulnerabilities fixed in Cloud Pak for Automation components

Source: CCN
Type: IBM Security Bulletin 6574481 (Cloud Private)
Security Vulnerabilities affect IBM Cloud Private - Node.js (CVE-2021-37713)

Source: CCN
Type: IBM Security Bulletin 6575667 (Spectrum Discover)
High severity vulnerabilities in libraries used by IBM Spectrum Discover (libraries of libraries)

Source: CCN
Type: IBM Security Bulletin 6589583 (QRadar Deployment Intelligence App)
IBM QRadar Deployment Intelligence app for IBM QRadar SIEM is vulnerable to using components with known vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6590981 (QRadar Data Synchronization App)
IBM QRadar Data Synchronization App for IBM QRadar SIEM is vulnerable to using components with known vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6602551 (Security Verify Governance)
IBM Security Verify Governance is vulnerable to multiple security issues due to Node.js

Source: CCN
Type: IBM Security Bulletin 6612727 (Cloud Pak System Software)
Multiple Vulnerabilities in Node.js affect IBM Cloud Pak System

Source: CCN
Type: IBM Security Bulletin 6616545 (Netcool Operations Insight)
Netcool Operations Insight v1.6.5 contains fixes for multiple security vulnerabilities.

Source: CCN
Type: IBM Security Bulletin 6825871 (Tivoli Netcool/OMNIbus_GUI)
Multiple vulnerabilities in React, webpack and Node.js modules affect Tivoli Netcool/OMNIbus WebGUI

Source: CCN
Type: IBM Security Bulletin 6830017 (QRadar Pulse App)
QRadar Pulse application add on to IBM QRadar SIEM is vulnerable to using components with known vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6956539 (MobileFirst Platform Foundation)
Multiple vulnerabilities found with third-party libraries used by IBM MobileFirst Platform

Source: CCN
Type: IBM Security Bulletin 6967283 (QRadar User Behavior Analytics)
IBM QRadar User Behavior Analytics is vulnerable to components with known vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6991615 (Edge Application Manager)
Open Source Dependency Vulnerability

Source: CCN
Type: IBM Security Bulletin 7008939 (Security Verify Governance)
Multiple vulnerabilities fixed in IBM Security Verify Governance - Identity Manager Virtual Appliance

Source: CCN
Type: NPM Web site
tar

Source: MISC
Type: Product, Third Party Advisory
https://www.npmjs.com/package/tar

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2021-37713

Vulnerable Configuration:Configuration 1:
  • cpe:/a:npmjs:tar:*:*:*:*:*:node.js:*:* (Version < 4.4.18)
  • OR cpe:/a:npmjs:tar:*:*:*:*:*:node.js:*:* (Version >= 5.0.0 and < 5.0.10)
  • OR cpe:/a:npmjs:tar:*:*:*:*:*:node.js:*:* (Version >= 6.0.0 and < 6.1.9)
  • AND
  • cpe:/o:microsoft:windows:-:*:*:*:*:*:*:*

    • Configuration 2:
  • cpe:/a:oracle:graalvm:20.3.3:*:*:*:enterprise:*:*:*
  • OR cpe:/a:oracle:graalvm:21.2.0:*:*:*:enterprise:*:*:*

    • Configuration 3:
  • cpe:/a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:* (Version < 1.0.1.1)

    • Configuration CCN 1:
  • cpe:/a:nodejs:node.js:12:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:node.js:14.0:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:rational_application_developer:9.6:*:*:*:websphere:*:*:*
  • OR cpe:/a:ibm:infosphere_information_server:11.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_developer_for_i:9.6.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_developer_for_i:9.6.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_developer_for_i:9.6.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_developer_for_i:9.6.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:integration_bus:10.0.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_developer_for_i:9.6.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_developer_for_i:9.6.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:watson_discovery:2.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:mobilefirst_platform_foundation:8.0.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_private:3.2.1:cd:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_private:3.2.2:cd:*:*:*:*:*:*
  • OR cpe:/a:ibm:watson_discovery:2.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_automation:21.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_automation:21.0.2:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:planning_analytics:2.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:qradar_user_behavior_analytics:1.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_verify_governance:10.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_verify_governance:10.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:8168
    P
    		Security update for Salt (Moderate)
    2023-06-21
    oval:org.opensuse.security:def:8170
    P
    		Security update for salt and python-pyzmq (Moderate)
    2023-06-21
    oval:org.opensuse.security:def:8188
    P
    		Security update for amazon-ecs-init (Important) (in QA)
    2023-06-20
    oval:org.opensuse.security:def:8190
    P
    		Security update for terraform-provider-aws (Important) (in QA)
    2023-06-20
    oval:org.opensuse.security:def:113038
    P
    		nodejs14-14.18.1-1.1 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:49467
    P
    		Security update for nodejs12 (Important) (in QA)
    2022-01-14
    oval:org.opensuse.security:def:20996
    P
    		Security update for nodejs12 (Important) (in QA)
    2022-01-14
    oval:org.opensuse.security:def:111164
    P
    		Security update for nodejs12 (Important)
    2021-12-12
    oval:org.opensuse.security:def:111154
    P
    		Security update for nodejs14 (Important)
    2021-12-10
    oval:org.opensuse.security:def:69279
    P
    		Security update for nodejs14 (Important)
    2021-12-07
    oval:org.opensuse.security:def:102825
    P
    		Security update for nodejs14 (Important)
    2021-12-07
    oval:org.opensuse.security:def:1713
    P
    		Security update for nodejs14 (Important)
    2021-12-07
    oval:org.opensuse.security:def:69259
    P
    		Security update for nodejs14 (Important)
    2021-12-07
    oval:org.opensuse.security:def:96135
    P
    		Security update for nodejs14 (Important)
    2021-12-07
    oval:org.opensuse.security:def:109491
    P
    		Security update for nodejs14 (Important)
    2021-12-07
    oval:org.opensuse.security:def:102273
    P
    		Security update for nodejs14 (Important)
    2021-12-07
    oval:org.opensuse.security:def:111826
    P
    		Security update for nodejs14 (Important)
    2021-12-07
    oval:org.opensuse.security:def:118587
    P
    		Security update for nodejs14 (Important)
    2021-12-07
    oval:org.opensuse.security:def:102823
    P
    		Security update for nodejs12 (Important)
    2021-12-06
    oval:org.opensuse.security:def:1711
    P
    		Security update for nodejs12 (Important)
    2021-12-06
    oval:org.opensuse.security:def:69257
    P
    		Security update for nodejs12 (Important)
    2021-12-06
    oval:org.opensuse.security:def:96133
    P
    		Security update for nodejs12 (Important)
    2021-12-06
    oval:org.opensuse.security:def:109489
    P
    		Security update for nodejs12 (Important)
    2021-12-06
    oval:org.opensuse.security:def:102271
    P
    		Security update for nodejs12 (Important)
    2021-12-06
    oval:org.opensuse.security:def:111817
    P
    		Security update for nodejs12 (Important)
    2021-12-06
    oval:org.opensuse.security:def:118585
    P
    		Security update for nodejs12 (Important)
    2021-12-06
    oval:org.opensuse.security:def:69277
    P
    		Security update for nodejs12 (Important)
    2021-12-06
    oval:org.opensuse.security:def:20986
    P
    		Security update for nodejs14 (Important)
    2021-12-02
    oval:org.opensuse.security:def:49457
    P
    		Security update for nodejs14 (Important)
    2021-12-02
    BACK
    npmjs tar *
    npmjs tar *
    npmjs tar *
    microsoft windows -
    oracle graalvm 20.3.3
    oracle graalvm 21.2.0
    siemens sinec infrastructure network services *
    nodejs node.js 12
    nodejs node.js 14.0
    ibm rational application developer 9.6
    ibm infosphere information server 11.7
    ibm rational developer for i 9.6.0
    ibm rational developer for i 9.6.0.1
    ibm rational developer for i 9.6.0.2
    ibm rational developer for i 9.6.0.3
    ibm integration bus 10.0.0.0
    ibm rational developer for i 9.6.0.4
    ibm rational developer for i 9.6.0.5
    ibm watson discovery 2.0.0
    ibm mobilefirst platform foundation 8.0.0.0
    ibm cloud private 3.2.1 cd
    ibm cloud private 3.2.2 cd
    ibm watson discovery 2.2.1
    ibm cloud pak for automation 21.0.1
    ibm cloud pak for automation 21.0.2 -
    ibm planning analytics 2.0
    ibm qradar user behavior analytics 1.0.0
    ibm security verify governance 10.0.1
    ibm security verify governance 10.0