SCA: security update for tar (GHSA-qq89-hq3f-393p)

high Tenable Cloud Security Plugin ID 418267

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file
creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file
whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by
ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat
calls to determine whether a given path is a directory, paths are cached when directories are created.
This logic was insufficient when extracting tar files that contained both a directory and a symlink with
names containing unicode values that normalized to the same value. Additionally, on Windows systems, long
path portions would resolve to the same file system entities as their 8.3 "short path" counterparts. A
specially crafted tar archive could thus include a directory with one form of the path, followed by a
symbolic link with a different string that resolves to the same file system entity, followed by a file
using the first form. By first creating a directory, and then replacing that directory with a symlink that
had a different apparent name that resolved to the same entry in the filesystem, it was thus possible to
bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into
an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing
arbitrary file creation and overwrite. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9.
The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are
still using a v3 release we recommend you update to a more recent version of node-tar. If this is not
possible, a workaround is available in the referenced GHSA-qq89-hq3f-393p. (CVE-2021-37712)

See Also

https://github.com/advisories/GHSA-qq89-hq3f-393p

Plugin Details

Severity: High

ID: 418267

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 94.66

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 4.4

Temporal Score: 3.3

Vector: CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2021-37712

CVSS v3

Risk Factor: High

Base Score: 8.6

Temporal Score: 7.5

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 8/31/2021

Vulnerability Publication Date: 8/31/2021

Reference Information

CVE: CVE-2021-37712