Path Traversal in Npm Node-tar
CVE-2021-37701
The npm package "tar" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by…
Vulnerability class: Path Traversal (Directory Traversal)
EPSS: 0.001 (27.0th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 8.2 (High). Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N.
Affected products
- Npm Node-tar — versions < 4.4.16, >= 5.0.0, < 5.0.8, >= 6.0.0, < 6.1.7
Weakness classification (CWE)
Public proof-of-concept exploits
References
- www.npmjs.com/package/tar
- github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc
- www.oracle.com/security-alerts/cpuoct2021.html
- DSA-5008 (vendor-advisory)
- cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
- [debian-lts-announce] 20221212 [SECURITY] [DLA 3237-1] node-tar security update (mailing-list)
Frequently asked questions
- What is CVE-2021-37701?
- CVE-2021-37701 is a high-severity vulnerability in Npm Node-tar, classified under Path Traversal. CVSS score: 8.2/10. Published 2021-08-31.
- How severe is CVE-2021-37701?
- High severity. CVSS v3 base score is 8.2 out of 10.
- Is CVE-2021-37701 known to be exploited?
- 2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.