CVE-2021-32803 - Vulnerability Details

CVE-2021-32803 - Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning

The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. `node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary `stat` calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the `node-tar` directory cache. When a directory is present in the directory cache, subsequent calls to mkdir for that directory are skipped. However, this is also where `node-tar` checks for symlinks occur. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass `node-tar` symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.3, 4.4.15, 5.0.7 and 6.1.2.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00176.

Key SSVC decision points have not yet been added.

Vendors	Products
Oracle	Graalvm
Redhat	Acm Enterprise Linux Openshift Data Foundation Rhel Eus Rhel Software Collections
Siemens	Sinec Infrastructure Network Services
Tar Project	Tar

Configuration 1 [-]

OR	cpe:2.3:a:tar_project:tar::::::node.js::*
	cpe:2.3:a:tar_project:tar::::::node.js::*
	cpe:2.3:a:tar_project:tar::::::node.js::*
	cpe:2.3:a:tar_project:tar::::::node.js::*

Configuration 2 [-]

OR	cpe:2.3:a:oracle:graalvm:20.3.3::::enterprise:::
	cpe:2.3:a:oracle:graalvm:21.2.0::::enterprise:::

Configuration 3 [-]

cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Red Hat Advanced Cluster Management for Kubernetes 2
acm-grafana-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
acm-must-gather-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
acm-operator-bundle-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
application-ui-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
assisted-image-service-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
cert-policy-controller-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
cluster-backup-operator-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
clusterclaims-controller-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
cluster-curator-controller-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
clusterlifecycle-state-metrics-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
cluster-proxy-addon-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
config-policy-controller-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
console-api-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
console-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
discovery-operator-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
endpoint-monitoring-operator-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
governance-policy-propagator-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
governance-policy-spec-sync-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
governance-policy-status-sync-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
governance-policy-template-sync-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
grafana-dashboard-loader-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
grc-ui-api-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
grc-ui-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
iam-policy-controller-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
insights-client-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
insights-metrics-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
klusterlet-addon-controller-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
klusterlet-addon-operator-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
klusterlet-operator-bundle-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
kube-rbac-proxy-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
kube-state-metrics-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
managedcluster-import-controller-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
management-ingress-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
memcached-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
memcached-exporter-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
metrics-collector-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
multicloud-integrations-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
multicloud-manager-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
multiclusterhub-operator-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
multiclusterhub-repo-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
multicluster-observability-operator-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
multicluster-operators-application-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
multicluster-operators-channel-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
multicluster-operators-deployable-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
multicluster-operators-placementrule-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
multicluster-operators-subscription-operator-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
multicluster-operators-subscription-release-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
node-exporter-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
observatorium-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
observatorium-operator-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
openshift-hive-operator-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
placement-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
prometheus-alertmanager-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
prometheus-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
provider-credential-controller-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
rbac-query-proxy-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
redisgraph-tls-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
registration-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
registration-operator-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
rhacm-agent-service-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
rhacm-assisted-installer-agent-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
rhacm-assisted-installer-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
rhacm-assisted-installer-reporter-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
search-aggregator-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
search-api-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
search-collector-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
search-operator-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
search-ui-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
submariner-addon-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
thanos-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
thanos-receive-controller-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
volsync-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
volsync-mover-rclone-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
volsync-mover-restic-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
volsync-mover-rsync-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
work-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
Red Hat Enterprise Linux 8
nodejs:12-8040020210817133458.522a0ee4	cpe:/a:redhat:enterprise_linux:8	RHSA-2021:3623	2021-09-21T00:00:00Z
nodejs:14-8040020210817165654.522a0ee4	cpe:/a:redhat:enterprise_linux:8	RHSA-2021:3666	2021-09-27T00:00:00Z
Red Hat Enterprise Linux 8.1 Extended Update Support
nodejs:12-8010020210817113128.c27ad7f8	cpe:/a:redhat:rhel_eus:8.1	RHSA-2021:3639	2021-09-22T00:00:00Z
Red Hat Enterprise Linux 8.2 Extended Update Support
nodejs:12-8020020210817125332.4cda2c84	cpe:/a:redhat:rhel_eus:8.2	RHSA-2021:3638	2021-09-22T00:00:00Z
Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8
odf4/cephcsi-rhel8:4.9-164.57484e3.release_4.9	cpe:/a:redhat:openshift_data_foundation:4.9::el8	RHSA-2021:5086	2021-12-13T00:00:00Z
odf4/ocs-must-gather-rhel8:4.9-257.4181add.release_4.9	cpe:/a:redhat:openshift_data_foundation:4.9::el8	RHSA-2021:5086	2021-12-13T00:00:00Z
odf4/ocs-operator-bundle:4.9.0-5	cpe:/a:redhat:openshift_data_foundation:4.9::el8	RHSA-2021:5086	2021-12-13T00:00:00Z
odf4/ocs-rhel8-operator:4.9-257.4181add.release_4.9	cpe:/a:redhat:openshift_data_foundation:4.9::el8	RHSA-2021:5086	2021-12-13T00:00:00Z
odf4/odf-console-rhel8:4.9-39.0f2fa23.release_4.9	cpe:/a:redhat:openshift_data_foundation:4.9::el8	RHSA-2021:5086	2021-12-13T00:00:00Z
odf4/odf-multicluster-operator-bundle:4.9.0-5	cpe:/a:redhat:openshift_data_foundation:4.9::el8	RHSA-2021:5086	2021-12-13T00:00:00Z
odf4/odf-multicluster-rhel8-operator:4.9-30.007b3d8.release_4.9	cpe:/a:redhat:openshift_data_foundation:4.9::el8	RHSA-2021:5086	2021-12-13T00:00:00Z
odf4/odf-operator-bundle:4.9.0-5	cpe:/a:redhat:openshift_data_foundation:4.9::el8	RHSA-2021:5086	2021-12-13T00:00:00Z
odf4/odf-rhel8-operator:4.9-59.c8bbc1f.release_4.9	cpe:/a:redhat:openshift_data_foundation:4.9::el8	RHSA-2021:5086	2021-12-13T00:00:00Z
odf4/odr-cluster-operator-bundle:4.9.0-5	cpe:/a:redhat:openshift_data_foundation:4.9::el8	RHSA-2021:5086	2021-12-13T00:00:00Z
odf4/odr-hub-operator-bundle:4.9.0-5	cpe:/a:redhat:openshift_data_foundation:4.9::el8	RHSA-2021:5086	2021-12-13T00:00:00Z
odf4/odr-rhel8-operator:4.9-27.3d037cc.release_4.9	cpe:/a:redhat:openshift_data_foundation:4.9::el8	RHSA-2021:5086	2021-12-13T00:00:00Z
odf4/rook-ceph-rhel8-operator:4.9-219.c3f67c6.release_4.9	cpe:/a:redhat:openshift_data_foundation:4.9::el8	RHSA-2021:5086	2021-12-13T00:00:00Z
odf4/volume-replication-rhel8-operator:4.9-28.82f68db.release_4.9	cpe:/a:redhat:openshift_data_foundation:4.9::el8	RHSA-2021:5086	2021-12-13T00:00:00Z
odf/odf-multicluster-rhel8-operator:4.9-30.007b3d8.release_4.9	cpe:/a:redhat:openshift_data_foundation:4.9::el8	RHSA-2021:5086	2021-12-13T00:00:00Z
Red Hat Software Collections for Red Hat Enterprise Linux 7
rh-nodejs14-nodejs-0:14.17.5-1.el7	cpe:/a:redhat:rhel_software_collections:3::el7	RHSA-2021:3280	2021-08-26T00:00:00Z
rh-nodejs12-nodejs-0:12.22.5-1.el7	cpe:/a:redhat:rhel_software_collections:3::el7	RHSA-2021:3281	2021-08-26T00:00:00Z
rh-nodejs12-nodejs-nodemon-0:2.0.3-5.el7	cpe:/a:redhat:rhel_software_collections:3::el7	RHSA-2021:3281	2021-08-26T00:00:00Z
Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS
rh-nodejs14-nodejs-0:14.17.5-1.el7	cpe:/a:redhat:rhel_software_collections:3::el7	RHSA-2021:3280	2021-08-26T00:00:00Z
rh-nodejs12-nodejs-0:12.22.5-1.el7	cpe:/a:redhat:rhel_software_collections:3::el7	RHSA-2021:3281	2021-08-26T00:00:00Z
rh-nodejs12-nodejs-nodemon-0:2.0.3-5.el7	cpe:/a:redhat:rhel_software_collections:3::el7	RHSA-2021:3281	2021-08-26T00:00:00Z

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2021-1856	The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. `node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary `stat` calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the `node-tar` directory cache. When a directory is present in the directory cache, subsequent calls to mkdir for that directory are skipped. However, this is also where `node-tar` checks for symlinks occur. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass `node-tar` symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.3, 4.4.15, 5.0.7 and 6.1.2.
Github GHSA	GHSA-r628-mhmh-qjhw	Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning
Ubuntu USN	USN-5283-1	Tar for Node.js vulnerability

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
https://github.com/npm/node-tar/commit/9dbdeb6df8e9dbd96fa9e84341b9d74734be6c20
https://github.com/npm/node-tar/security/advisories/GHSA-r628-mhmh-qjhw
https://nvd.nist.gov/vuln/detail/CVE-2021-32803
https://www.cve.org/CVERecord?id=CVE-2021-32803
https://www.npmjs.com/advisories/1771
https://www.npmjs.com/package/tar
https://www.oracle.com/security-alerts/cpuoct2021.html

History

Sun, 08 Sep 2024 18:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat acm
CPEs		cpe:/a:redhat:acm:2.4::el8
Vendors & Products		Redhat acm

Mon, 19 Aug 2024 22:15:00 +0000

Type	Values Removed	Values Added
CPEs	~~cpe:/a:redhat:acm:2.4::el8~~
Vendors & Products	Redhat acm

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-08-03T19:05:12

Updated: 2024-08-03T23:33:56.082Z

Reserved: 2021-05-12T00:00:00

Link: CVE-2021-32803

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-08-03T19:15:08.297

Modified: 2024-11-21T06:07:46.637

Link: CVE-2021-32803

Redhat

Severity : Moderate

Publid Date: 2021-08-03T00:00:00Z

Links: CVE-2021-32803 - Bugzilla

OpenCVE Enrichment

No data.

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

Affected Vendors & Products

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object