{"containers": {"cna": {"affected": [{"product": "node-tar", "vendor": "npm", "versions": [{"status": "affected", "version": "< 3.2.2"}, {"status": "affected", "version": ">= 4.0.0, < 4.4.14"}, {"status": "affected", "version": ">= 5.0.0, < 5.0.6"}, {"status": "affected", "version": ">= 6.0.0, < 6.1.1"}]}], "descriptions": [{"lang": "en", "value": "The npm package \"tar\" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example `/home/user/.bashrc` would turn into `home/user/.bashrc`. This logic was insufficient when file paths contained repeated path roots such as `////home/user/.bashrc`. `node-tar` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. `///home/user/.bashrc`) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom `onentry` method which sanitizes the `entry.path` or a `filter` method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-03-08T14:07:16", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.npmjs.com/package/tar"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/npm/node-tar/commit/1f036ca23f64a547bdd6c79c1a44bc62e8115da4"}, {"tags": ["x_refsource_MISC"], "url": "https://www.npmjs.com/advisories/1770"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"}], "source": {"advisory": "GHSA-3jfq-g458-7qm9", "discovery": "UNKNOWN"}, "title": "Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-32804", "STATE": "PUBLIC", "TITLE": "Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "node-tar", "version": {"version_data": [{"version_value": "< 3.2.2"}, {"version_value": ">= 4.0.0, < 4.4.14"}, {"version_value": ">= 5.0.0, < 5.0.6"}, {"version_value": ">= 6.0.0, < 6.1.1"}]}}]}, "vendor_name": "npm"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The npm package \"tar\" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example `/home/user/.bashrc` would turn into `home/user/.bashrc`. This logic was insufficient when file paths contained repeated path roots such as `////home/user/.bashrc`. `node-tar` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. `///home/user/.bashrc`) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom `onentry` method which sanitizes the `entry.path` or a `filter` method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}]}, "references": {"reference_data": [{"name": "https://www.npmjs.com/package/tar", "refsource": "MISC", "url": "https://www.npmjs.com/package/tar"}, {"name": "https://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9", "refsource": "CONFIRM", "url": "https://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9"}, {"name": "https://github.com/npm/node-tar/commit/1f036ca23f64a547bdd6c79c1a44bc62e8115da4", "refsource": "MISC", "url": "https://github.com/npm/node-tar/commit/1f036ca23f64a547bdd6c79c1a44bc62e8115da4"}, {"name": "https://www.npmjs.com/advisories/1770", "refsource": "MISC", "url": "https://www.npmjs.com/advisories/1770"}, {"name": "https://www.oracle.com/security-alerts/cpuoct2021.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}, {"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", "refsource": "CONFIRM", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"}]}, "source": {"advisory": "GHSA-3jfq-g458-7qm9", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T23:33:56.070Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.npmjs.com/package/tar"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/npm/node-tar/commit/1f036ca23f64a547bdd6c79c1a44bc62e8115da4"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.npmjs.com/advisories/1770"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-32804", "datePublished": "2021-08-03T19:10:12", "dateReserved": "2021-05-12T00:00:00", "dateUpdated": "2024-08-03T23:33:56.070Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tar_project:tar:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "48083832-29DB-4428-836C-BC1072AC6384", "versionEndExcluding": "3.2.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:tar_project:tar:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "77DE1692-7EF1-43FF-95CB-B1EAA8CB030B", "versionEndExcluding": "4.4.14", "versionStartIncluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:tar_project:tar:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "EF8B9011-1EAA-4D9E-89CA-597D7309EE66", "versionEndExcluding": "5.0.6", "versionStartIncluding": "5.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:tar_project:tar:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "24EC2FC6-7549-4C94-9560-54A88703BCA5", "versionEndExcluding": "6.1.1", "versionStartIncluding": "6.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:graalvm:20.3.3:*:*:*:enterprise:*:*:*", "matchCriteriaId": "53B2BB06-A2F7-4603-89C3-C8500E55483A", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:graalvm:21.2.0:*:*:*:enterprise:*:*:*", "matchCriteriaId": "01E88C86-8C04-4A4A-BF45-9082AA783056", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:*", "matchCriteriaId": "B0F46497-4AB0-49A7-9453-CC26837BF253", "versionEndExcluding": "1.0.1.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The npm package \"tar\" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example `/home/user/.bashrc` would turn into `home/user/.bashrc`. This logic was insufficient when file paths contained repeated path roots such as `////home/user/.bashrc`. `node-tar` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. `///home/user/.bashrc`) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom `onentry` method which sanitizes the `entry.path` or a `filter` method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar."}, {"lang": "es", "value": "El paquete npm \"tar\" (tambi\u00e9n se conoce como node-tar) versiones anteriores a 6.1.1, 5.0.6, 4.4.14 y 3.3.2, presenta una vulnerabilidad de Creaci\u00f3n y Sobrescritura de archivos arbitraria debido a un saneo insuficiente de rutas absolutas. node-tar pretende impedir la extracci\u00f3n de rutas absolutas de archivos al convertir las rutas absolutas en relativas cuando el flag \"preservePaths\" no est\u00e1 establecido en \"true\". Esto se consigue eliminando el root de la ruta absoluta de cualquier ruta de archivo absoluta contenida en un archivo tar. Por ejemplo, \"home/user/.bashrc\" se convertir\u00eda en \"home/user/.bashrc\". Esta l\u00f3gica era insuficiente cuando las rutas de los archivos conten\u00edan roots de ruta repetidas, como \"////home/user/.bashrc\". \"node-tar\" s\u00f3lo eliminaba un \u00fanico root de esas rutas. Cuando se daba una ruta de archivo absoluta con ra\u00edces de ruta repetidas, la ruta resultante (por ejemplo, \"///home/user/.bashrc\") segu\u00eda resolvi\u00e9ndose como una ruta absoluta, permitiendo as\u00ed la creaci\u00f3n y sobrescritura de archivos arbitraria. Este problema se ha solucionado en las versiones 3.2.2, 4.4.14, 5.0.6 y 6.1.1. Los usuarios pueden solucionar esta vulnerabilidad sin necesidad de actualizar al crear un m\u00e9todo personalizado \"onentry\" que sanee \"entry.path\" o un m\u00e9todo \"filter\" que elimine las entradas con rutas absolutas. Consulte el aviso de GitHub mencionado para obtener m\u00e1s detalles. Tenga en cuenta CVE-2021-32803 que corrige un error similar en versiones posteriores de tar"}], "id": "CVE-2021-32804", "lastModified": "2022-04-25T19:12:42.190", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.8, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2021-08-03T19:15:08.410", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/npm/node-tar/commit/1f036ca23f64a547bdd6c79c1a44bc62e8115da4"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://www.npmjs.com/advisories/1770"}, {"source": "security-advisories@github.com", "tags": ["Product", "Third Party Advisory"], "url": "https://www.npmjs.com/package/tar"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "acm-grafana-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "acm-must-gather-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "acm-operator-bundle-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "application-ui-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "assisted-image-service-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "cert-policy-controller-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "cluster-backup-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "clusterclaims-controller-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "cluster-curator-controller-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "clusterlifecycle-state-metrics-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "cluster-proxy-addon-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "config-policy-controller-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "console-api-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "console-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "discovery-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "endpoint-monitoring-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "governance-policy-propagator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "governance-policy-spec-sync-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "governance-policy-status-sync-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "governance-policy-template-sync-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "grafana-dashboard-loader-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "grc-ui-api-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "grc-ui-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "iam-policy-controller-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "insights-client-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "insights-metrics-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "klusterlet-addon-controller-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "klusterlet-addon-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "klusterlet-operator-bundle-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "kube-rbac-proxy-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "kube-state-metrics-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "managedcluster-import-controller-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "management-ingress-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "memcached-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "memcached-exporter-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "metrics-collector-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "multicloud-integrations-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "multicloud-manager-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "multiclusterhub-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "multiclusterhub-repo-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "multicluster-observability-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "multicluster-operators-application-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "multicluster-operators-channel-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "multicluster-operators-deployable-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "multicluster-operators-placementrule-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "multicluster-operators-subscription-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "multicluster-operators-subscription-release-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "node-exporter-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "observatorium-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "observatorium-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "openshift-hive-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "placement-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "prometheus-alertmanager-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "prometheus-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "provider-credential-controller-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "rbac-query-proxy-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "redisgraph-tls-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "registration-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "registration-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "rhacm-agent-service-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "rhacm-assisted-installer-agent-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "rhacm-assisted-installer-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "rhacm-assisted-installer-reporter-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "search-aggregator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "search-api-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "search-collector-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "search-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "search-ui-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "submariner-addon-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "thanos-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "thanos-receive-controller-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "volsync-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "volsync-mover-rclone-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "volsync-mover-restic-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "volsync-mover-rsync-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "work-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:3623", "cpe": "cpe:/a:redhat:enterprise_linux:8", "impact": "moderate", "package": "nodejs:12-8040020210817133458.522a0ee4", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-09-21T00:00:00Z"}, {"advisory": "RHSA-2021:3666", "cpe": "cpe:/a:redhat:enterprise_linux:8", "impact": "moderate", "package": "nodejs:14-8040020210817165654.522a0ee4", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-09-27T00:00:00Z"}, {"advisory": "RHSA-2021:3639", "cpe": "cpe:/a:redhat:rhel_eus:8.1", "package": "nodejs:12-8010020210817113128.c27ad7f8", "product_name": "Red Hat Enterprise Linux 8.1 Extended Update Support", "release_date": "2021-09-22T00:00:00Z"}, {"advisory": "RHSA-2021:3638", "cpe": "cpe:/a:redhat:rhel_eus:8.2", "package": "nodejs:12-8020020210817125332.4cda2c84", "product_name": "Red Hat Enterprise Linux 8.2 Extended Update Support", "release_date": "2021-09-22T00:00:00Z"}, {"advisory": "RHSA-2021:5086", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.9::el8", "package": "odf4/cephcsi-rhel8:4.9-164.57484e3.release_4.9", "product_name": "Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8", "release_date": "2021-12-13T00:00:00Z"}, {"advisory": "RHSA-2021:5086", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.9::el8", "package": "odf4/ocs-must-gather-rhel8:4.9-257.4181add.release_4.9", "product_name": "Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8", "release_date": "2021-12-13T00:00:00Z"}, {"advisory": "RHSA-2021:5086", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.9::el8", "package": "odf4/ocs-operator-bundle:4.9.0-5", "product_name": "Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8", "release_date": "2021-12-13T00:00:00Z"}, {"advisory": "RHSA-2021:5086", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.9::el8", "package": "odf4/ocs-rhel8-operator:4.9-257.4181add.release_4.9", "product_name": "Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8", "release_date": "2021-12-13T00:00:00Z"}, {"advisory": "RHSA-2021:5086", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.9::el8", "package": "odf4/odf-console-rhel8:4.9-39.0f2fa23.release_4.9", "product_name": "Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8", "release_date": "2021-12-13T00:00:00Z"}, {"advisory": "RHSA-2021:5086", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.9::el8", "package": "odf4/odf-multicluster-operator-bundle:4.9.0-5", "product_name": "Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8", "release_date": "2021-12-13T00:00:00Z"}, {"advisory": "RHSA-2021:5086", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.9::el8", "package": "odf4/odf-multicluster-rhel8-operator:4.9-30.007b3d8.release_4.9", "product_name": "Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8", "release_date": "2021-12-13T00:00:00Z"}, {"advisory": "RHSA-2021:5086", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.9::el8", "package": "odf4/odf-operator-bundle:4.9.0-5", "product_name": "Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8", "release_date": "2021-12-13T00:00:00Z"}, {"advisory": "RHSA-2021:5086", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.9::el8", "package": "odf4/odf-rhel8-operator:4.9-59.c8bbc1f.release_4.9", "product_name": "Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8", "release_date": "2021-12-13T00:00:00Z"}, {"advisory": "RHSA-2021:5086", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.9::el8", "package": "odf4/odr-cluster-operator-bundle:4.9.0-5", "product_name": "Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8", "release_date": "2021-12-13T00:00:00Z"}, {"advisory": "RHSA-2021:5086", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.9::el8", "package": "odf4/odr-hub-operator-bundle:4.9.0-5", "product_name": "Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8", "release_date": "2021-12-13T00:00:00Z"}, {"advisory": "RHSA-2021:5086", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.9::el8", "package": "odf4/odr-rhel8-operator:4.9-27.3d037cc.release_4.9", "product_name": "Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8", "release_date": "2021-12-13T00:00:00Z"}, {"advisory": "RHSA-2021:5086", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.9::el8", "package": "odf4/rook-ceph-rhel8-operator:4.9-219.c3f67c6.release_4.9", "product_name": "Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8", "release_date": "2021-12-13T00:00:00Z"}, {"advisory": "RHSA-2021:5086", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.9::el8", "package": "odf4/volume-replication-rhel8-operator:4.9-28.82f68db.release_4.9", "product_name": "Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8", "release_date": "2021-12-13T00:00:00Z"}, {"advisory": "RHSA-2021:5086", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.9::el8", "package": "odf/odf-multicluster-rhel8-operator:4.9-30.007b3d8.release_4.9", "product_name": "Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8", "release_date": "2021-12-13T00:00:00Z"}, {"advisory": "RHSA-2021:3280", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "impact": "moderate", "package": "rh-nodejs14-nodejs-0:14.17.5-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2021-08-26T00:00:00Z"}, {"advisory": "RHSA-2021:3281", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "impact": "moderate", "package": "rh-nodejs12-nodejs-0:12.22.5-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2021-08-26T00:00:00Z"}, {"advisory": "RHSA-2021:3281", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "impact": "moderate", "package": "rh-nodejs12-nodejs-nodemon-0:2.0.3-5.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2021-08-26T00:00:00Z"}, {"advisory": "RHSA-2021:3280", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "impact": "moderate", "package": "rh-nodejs14-nodejs-0:14.17.5-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2021-08-26T00:00:00Z"}, {"advisory": "RHSA-2021:3281", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "impact": "moderate", "package": "rh-nodejs12-nodejs-0:12.22.5-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2021-08-26T00:00:00Z"}, {"advisory": "RHSA-2021:3281", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "impact": "moderate", "package": "rh-nodejs12-nodejs-nodemon-0:2.0.3-5.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2021-08-26T00:00:00Z"}], "bugzilla": {"description": "nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite", "id": "1990409", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1990409"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "status": "verified"}, "cwe": "CWE-22", "details": ["The npm package \"tar\" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example `/home/user/.bashrc` would turn into `home/user/.bashrc`. This logic was insufficient when file paths contained repeated path roots such as `////home/user/.bashrc`. `node-tar` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. `///home/user/.bashrc`) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom `onentry` method which sanitizes the `entry.path` or a `filter` method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar.", "The npm package \"tar\" (aka node-tar) has an arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file."], "name": "CVE-2021-32804", "package_state": [{"cpe": "cpe:/a:redhat:service_mesh:2.0", "fix_state": "Will not fix", "package_name": "servicemesh-grafana", "product_name": "OpenShift Service Mesh 2.0"}, {"cpe": "cpe:/a:redhat:service_mesh:2.0", "fix_state": "Will not fix", "package_name": "servicemesh-prometheus", "product_name": "OpenShift Service Mesh 2.0"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "impact": "low", "package_name": "rhacm2/application-ui-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Will not fix", "impact": "low", "package_name": "rhacm2/console-header-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Will not fix", "impact": "low", "package_name": "rhacm2/console-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Will not fix", "impact": "low", "package_name": "rhacm2/console-ui-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Affected", "impact": "low", "package_name": "rhacm2/grc-ui-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Will not fix", "impact": "low", "package_name": "rhacm2/kui-web-terminal-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Will not fix", "impact": "low", "package_name": "rhacm2/mcm-topology-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Affected", "impact": "low", "package_name": "rhacm2/search-ui-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "nodejs:16/nodejs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "nodejs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "impact": "moderate", "package_name": "tar-pack", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "impact": "moderate", "package_name": "openshift4/ose-grafana", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Affected", "impact": "moderate", "package_name": "ocs4/mcg-core-rhel8", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Affected", "impact": "moderate", "package_name": "openshift-gitops-1/argocd-rhel8", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Not affected", "impact": "moderate", "package_name": "quay", "product_name": "Red Hat Quay 3"}], "public_date": "2021-08-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-32804\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-32804\nhttps://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9"], "statement": "Red Hat Quay 3.3 uses an affected version of nodejs-tar. However Quay 3.3 is in extended life phase and a fix will not be delivered[1]. More recent versions of Red Hat Quay do not include nodejs-tar and are not affected.\n1. https://access.redhat.com/support/policy/updates/rhquay\nRed Hat Enterprise Linux version 8 and Red Hat Software Collection both embed node-tar in the npm command. A specially crafted node module could create and overwrite files outside of its dedicated directory.", "threat_severity": "Moderate", "upstream_fix": "nodejs-tar 3.2.2, nodejs-tar 4.4.14, nodejs-tar 5.0.6, nodejs-tar 6.1.1"}