CVE-2018-20835

A vulnerability was found in tar-fs before 1.16.2. An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 51%
VendorProductVersion
tar-fs_projecttar-fs
𝑥
< 1.16.2
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
node-tar-fs
bullseye
2.1.1-2
fixed
sid
2.1.1-6
fixed
trixie
2.1.1-6
fixed
bookworm
2.1.1-6
fixed
Common Weakness Enumeration
References
https://github.com/mafintosh/tar-fs/commit/06672828e6fa29ac8551b1b6f36c852a9a3c58a2
https://github.com/mafintosh/tar-fs/compare/d590fc7...a35ce2f
https://hackerone.com/reports/344595
https://github.com/mafintosh/tar-fs/commit/06672828e6fa29ac8551b1b6f36c852a9a3c58a2
https://github.com/mafintosh/tar-fs/compare/d590fc7...a35ce2f
https://hackerone.com/reports/344595