What is CVE-2021-32803?

CVE-2021-32803 is a high-severity vulnerability in Npm Node-tar, classified under Path Traversal. CVSS score: 8.2/10. Published 2021-08-03.

How severe is CVE-2021-32803?

High severity. CVSS v3 base score is 8.2 out of 10.

Is CVE-2021-32803 known to be exploited?

4 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Path Traversal in Npm Node-tar

CVE-2021-32803

The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. `node-tar` aims to guarantee that any file whose location woul…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.001 (30.9th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.2 (High). Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N.

Affected products

Npm Node-tar — versions < 3.2.3, >= 4.0.0, < 4.4.15, >= 5.0.0, < 5.0.7

Weakness classification (CWE)

CWE-22 — Path Traversal

Public proof-of-concept exploits

References

github.com/npm/node-tar/security/advisories/GHSA-r628-mhmh-qjhw (x_refsource_CONFIRM)
github.com/npm/node-tar/commit/9dbdeb6df8e9dbd96fa9e84341b9d74734be6c20 (x_refsource_MISC)
www.npmjs.com/advisories/1771 (x_refsource_MISC)
www.npmjs.com/package/tar (x_refsource_MISC)
www.oracle.com/security-alerts/cpuoct2021.html (x_refsource_MISC)
cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf (x_refsource_CONFIRM)

Frequently asked questions

What is CVE-2021-32803?: CVE-2021-32803 is a high-severity vulnerability in Npm Node-tar, classified under Path Traversal. CVSS score: 8.2/10. Published 2021-08-03.
How severe is CVE-2021-32803?: High severity. CVSS v3 base score is 8.2 out of 10.
Is CVE-2021-32803 known to be exploited?: 4 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.