CVE-2021-37701
Arbitrary File Creation vulnerability in tar (npm)
What is CVE-2021-37701 About?
This vulnerability in `node-tar` allows arbitrary file creation, overwrite, and code execution due to insufficient symlink and directory caching logic in tar extraction. Attackers can leverage specially crafted tar files to bypass security checks and place malicious files in arbitrary locations. This issue arises from improper handling of path separators and case-insensitive filenames.
Affected Software
- tar
- >6.0.0, <6.1.7
- >3.0.0, <4.4.16
- >5.0.0, <5.0.8
Technical Details
The node-tar library in versions prior to 4.4.16, 5.0.8, and 6.1.7 is vulnerable to arbitrary file creation/overwrite and code execution. The vulnerability is rooted in an insufficient mechanism to prevent symlink traversal during tar extraction. Specifically, it fails to correctly handle path separators (using backslashes on POSIX) and case-insensitive directory names. An attacker can craft a tar archive that first creates a directory, then includes a symbolic link with the same name as the directory using backslashes (on POSIX) or a different case (on case-insensitive systems). Due to flawed directory caching and symlink checks, node-tar would remove the original directory but not update its internal cache, believing the directory still exists. Subsequent file entries within this supposed directory would then be extracted into the symlink's target location, allowing an attacker to write files to arbitrary locations, including sensitive system paths, potentially leading to arbitrary code execution.
What is the Impact of CVE-2021-37701?
Successful exploitation may allow attackers to create or overwrite arbitrary files, potentially leading to arbitrary code execution and full system compromise.
What is the Exploitability of CVE-2021-37701?
Exploitation requires the ability to supply a specially crafted tar archive to an application that uses the vulnerable node-tar library for extraction. The complexity is moderate, as it requires carefully constructing the tar file entries to exploit the symlink and caching logic. Authentication is not typically required if the application processes untrusted tar files from external sources (e.g., file uploads). Privilege requirements are low, as the attack targets the file system permissions of the application running node-tar. This is primarily a remote vulnerability if the tar file can be provided over a network (e.g., via upload). Special conditions involve the unpatched version of node-tar and the processing of untrusted archives. The risk factor is significantly increased if the application automatically extracts uploaded tar files without rigorous validation or sandboxing.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-37701?
Available Upgrade Options
- tar
- >3.0.0, <4.4.16 → Upgrade to 4.4.16
- tar
- >5.0.0, <5.0.8 → Upgrade to 5.0.8
- tar
- >6.0.0, <6.1.7 → Upgrade to 6.1.7
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc
- https://www.npmjs.com/package/tar
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
- https://www.debian.org/security/2021/dsa-5008
- https://nvd.nist.gov/vuln/detail/CVE-2021-37701
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.npmjs.com/package/tar
- https://osv.dev/vulnerability/GHSA-9r2w-394v-53qc
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://lists.debian.org/debian-lts-announce/2022/12/msg00023.html
What are Similar Vulnerabilities to CVE-2021-37701?
Similar Vulnerabilities: CVE-2022-24756 , CVE-2021-32640 , CVE-2021-41133 , CVE-2020-28241 , CVE-2019-10023
