{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content. A patch has been applied to node-tar v2.2.2)."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-09-04T19:04:47", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://hackerone.com/reports/344595"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/npm/node-tar/commit/b0c58433c22f5e7fe8b1c76373f27e3f81dcd4c8"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/npm/node-tar/compare/58a8d43...a5f7779"}, {"name": "RHSA-2019:1821", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:1821"}, {"tags": ["x_refsource_MISC"], "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20834"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/npm/node-tar/commit/7ecef07da6a9e72cc0c4d0c9c6a8e85b6b52395d"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/npm/node-tar/commits/v2.2.2"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2018-20834", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content. A patch has been applied to node-tar v2.2.2)."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://hackerone.com/reports/344595", "refsource": "MISC", "url": "https://hackerone.com/reports/344595"}, {"name": "https://github.com/npm/node-tar/commit/b0c58433c22f5e7fe8b1c76373f27e3f81dcd4c8", "refsource": "MISC", "url": "https://github.com/npm/node-tar/commit/b0c58433c22f5e7fe8b1c76373f27e3f81dcd4c8"}, {"name": "https://github.com/npm/node-tar/compare/58a8d43...a5f7779", "refsource": "MISC", "url": "https://github.com/npm/node-tar/compare/58a8d43...a5f7779"}, {"name": "RHSA-2019:1821", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:1821"}, {"name": "https://nvd.nist.gov/vuln/detail/CVE-2018-20834", "refsource": "MISC", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20834"}, {"name": "https://github.com/npm/node-tar/commit/7ecef07da6a9e72cc0c4d0c9c6a8e85b6b52395d", "refsource": "MISC", "url": "https://github.com/npm/node-tar/commit/7ecef07da6a9e72cc0c4d0c9c6a8e85b6b52395d"}, {"name": "https://github.com/npm/node-tar/commits/v2.2.2", "refsource": "MISC", "url": "https://github.com/npm/node-tar/commits/v2.2.2"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T12:12:27.376Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://hackerone.com/reports/344595"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/npm/node-tar/commit/b0c58433c22f5e7fe8b1c76373f27e3f81dcd4c8"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/npm/node-tar/compare/58a8d43...a5f7779"}, {"name": "RHSA-2019:1821", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:1821"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20834"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/npm/node-tar/commit/7ecef07da6a9e72cc0c4d0c9c6a8e85b6b52395d"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/npm/node-tar/commits/v2.2.2"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-20834", "datePublished": "2019-04-30T18:01:58", "dateReserved": "2019-04-30T00:00:00", "dateUpdated": "2024-08-05T12:12:27.376Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:node-tar_project:node-tar:*:*:*:*:*:*:*:*", "matchCriteriaId": "25114F61-BC5B-4B8E-B991-01EE8F6E8B1B", "versionEndExcluding": "2.2.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:node-tar_project:node-tar:*:*:*:*:*:*:*:*", "matchCriteriaId": "80C2038D-E008-44E4-89B9-210B0612BE3F", "versionEndExcluding": "4.4.2", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content. A patch has been applied to node-tar v2.2.2)."}, {"lang": "es", "value": "Se detecto una vulnerabilidad en node-tar en versiones anteriores a la 4.4.2 (excluyendo la versi\u00f3n 2.2.2). Existe un problema de sobrescritura arbitraria de archivos cuando se extrae un tarball que contiene un enlace f\u00edsico a un archivo que ya existe en el sistema, junto con un archivo plano posterior con el mismo nombre que el enlace f\u00edsico. Este contenido de archivo simple reemplaza el contenido de archivo existente. Se ha aplicado un parche a node-tar v2.2.2)."}], "id": "CVE-2018-20834", "lastModified": "2019-09-04T20:15:10.403", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.4, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-04-30T19:29:03.327", "references": [{"source": "cve@mitre.org", "url": "https://access.redhat.com/errata/RHSA-2019:1821"}, {"source": "cve@mitre.org", "url": "https://github.com/npm/node-tar/commit/7ecef07da6a9e72cc0c4d0c9c6a8e85b6b52395d"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/npm/node-tar/commit/b0c58433c22f5e7fe8b1c76373f27e3f81dcd4c8"}, {"source": "cve@mitre.org", "url": "https://github.com/npm/node-tar/commits/v2.2.2"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/npm/node-tar/compare/58a8d43...a5f7779"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://hackerone.com/reports/344595"}, {"source": "cve@mitre.org", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20834"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-59"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2019:1821", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs8-nodejs-0:8.16.0-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2019-07-22T00:00:00Z"}, {"advisory": "RHSA-2019:1821", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs8-nodejs-0:8.16.0-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS", "release_date": "2019-07-22T00:00:00Z"}, {"advisory": "RHSA-2019:1821", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs8-nodejs-0:8.16.0-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS", "release_date": "2019-07-22T00:00:00Z"}, {"advisory": "RHSA-2019:1821", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs8-nodejs-0:8.16.0-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date": "2019-07-22T00:00:00Z"}], "bugzilla": {"description": "nodejs-tar: Arbitrary file overwrites when extracting tarballs containing a hard-link", "id": "1702338", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1702338"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.8", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-59", "details": ["A vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content. A patch has been applied to node-tar v2.2.2).", "A flaw was found in nodejs-tar in versions prior to 4.4.2. An arbitrary file overwrite can occur when extracting tarballs containing a hard-link to a file that already exists in the system. Further, a file that matches the hard-link may overwrite the system's files with the contents of the extracted file. The highest threat from the vulnerability is to data confidentiality and integrity as well as system availability."], "name": "CVE-2018-20834", "package_state": [{"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "impact": "low", "package_name": "openshift-logging/kibana6-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "nodejs:10/nodejs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:mobile_application_platform:4", "fix_state": "Not affected", "package_name": "nodejs-tar", "product_name": "Red Hat Mobile Application Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:3.10", "fix_state": "Not affected", "package_name": "kibana", "product_name": "Red Hat OpenShift Container Platform 3.10"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Not affected", "package_name": "kibana5", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:3.6", "fix_state": "Not affected", "package_name": "kibana", "product_name": "Red Hat OpenShift Container Platform 3.6"}, {"cpe": "cpe:/a:redhat:openshift:3.7", "fix_state": "Not affected", "package_name": "kibana", "product_name": "Red Hat OpenShift Container Platform 3.7"}, {"cpe": "cpe:/a:redhat:openshift:3.9", "fix_state": "Not affected", "package_name": "kibana", "product_name": "Red Hat OpenShift Container Platform 3.9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "kibana5", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Not affected", "package_name": "rh-nodejs10-nodejs", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Not affected", "package_name": "rh-nodejs6-nodejs-tar", "product_name": "Red Hat Software Collections"}], "public_date": "2018-04-30T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2018-20834\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-20834\nhttps://hackerone.com/reports/344595"], "statement": "In Red Hat OpenShift Logging the openshift-logging/kibana6-rhel8 container bundles many nodejs packages as a build time dependencies, including the tar package. \nThe vulnerable nodejs tar package is not used in a way that makes this vulnerability exploitable, hence the impact to OpenShift Logging by this vulnerability is Low.", "threat_severity": "Important", "upstream_fix": "nodejs-tar 4.4.2"}