CVE-2021-32803
Arbitrary File Creation vulnerability in tar (npm)
What is CVE-2021-32803 About?
This arbitrary file creation vulnerability in `node-tar` (before 3.2.3, 4.4.15, 5.0.7, 6.1.2) allows an untrusted tar file to create or overwrite arbitrary files on the system. This is achieved by bypassing symlink checks on directories through specific ordering of directory and symlink entries within a tar archive. The impact can include arbitrary code execution. Exploitation requires crafting a malicious tar file.
Affected Software
- tar
- >4.0.0, <4.4.15
- >6.0.0, <6.1.2
- >5.0.0, <5.0.7
- >3.0.0, <3.2.3
Technical Details
The node-tar package versions before 3.2.3, 4.4.15, 5.0.7, and 6.1.2 are vulnerable to arbitrary file creation/overwrite and potential arbitrary code execution. The vulnerability arises from an insufficient symlink check mechanism during tar extraction. node-tar attempts to prevent symlink traversal attacks by not extracting files whose locations would be modified by a symlink and by checking for symlinks when directories are created. However, this logic is flawed when a tar archive contains both a directory entry and a symlink entry with the same name as that directory, in a specific order. If the directory is extracted first, it gets added to node-tar's internal directory cache. Subsequent attempts to create or check a symlink (with the same name) for that path are then skipped because the path is already in the cache, bypassing the symlink checks. This allows a malicious tar file to first create a directory, then overwrite it with a symlink pointing to an arbitrary location outside the intended extraction path, and finally extract subsequent files into this arbitrary location, leading to file creation or overwrite anywhere on the filesystem. The attack vector is the processing of a crafted tar archive.
What is the Impact of CVE-2021-32803?
Successful exploitation may allow attackers to create or overwrite arbitrary files on the system, potentially leading to arbitrary code execution, privilege escalation, or full system compromise.
What is the Exploitability of CVE-2021-32803?
Exploitation of this vulnerability is of moderate complexity, requiring an attacker to craft a specific tar archive with a precise ordering of directory and symlink entries. No authentication or special privileges are required for an attacker to initiate the exploitation if they can provide a malicious tar file to an application using node-tar. This is typically a remote attack if the application processes untrusted tar archives from network sources, or a local attack if an attacker can place a malicious tar file on the system. The critical prerequisite is that the application uses a vulnerable version of node-tar for archive extraction. The likelihood of exploitation is significantly increased in systems that automatically extract or process tar archives from untrusted sources without robust integrity or content verification. Using a custom filter method to prevent extraction of symbolic links can act as a workaround, but upgrading node-tar is highly recommended.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-32803?
About the Fix from Resolved Security
The patch prevents directory traversal attacks by ensuring that if a directory is replaced with a non-directory (such as a symlink), any cached directory entries under that path are removed from the internal dirCache. This fix mitigates CVE-2021-32803 by ensuring that malicious tar entries cannot cause files to be written outside the intended extraction directory by exploiting stale directory cache entries.
Available Upgrade Options
- tar
- >3.0.0, <3.2.3 → Upgrade to 3.2.3
- tar
- >4.0.0, <4.4.15 → Upgrade to 4.4.15
- tar
- >5.0.0, <5.0.7 → Upgrade to 5.0.7
- tar
- >6.0.0, <6.1.2 → Upgrade to 6.1.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
- https://www.npmjs.com/package/tar
- https://github.com/npm/node-tar/commit/9dbdeb6df8e9dbd96fa9e84341b9d74734be6c20
- https://www.npmjs.com/advisories/1771
- https://github.com/npm/node-tar/security/advisories/GHSA-r628-mhmh-qjhw
- https://nvd.nist.gov/vuln/detail/CVE-2021-32803
- https://osv.dev/vulnerability/GHSA-r628-mhmh-qjhw
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://github.com/isaacs/node-tar/commit/9dbdeb6df8e9dbd96fa9e84341b9d74734be6c20
What are Similar Vulnerabilities to CVE-2021-32803?
Similar Vulnerabilities: CVE-2022-24757 , CVE-2022-23539 , CVE-2022-23540 , CVE-2022-23541 , CVE-2021-39139
