CVE-2021-32804 - Vulnerability Details

The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example `/home/user/.bashrc` would turn into `home/user/.bashrc`. This logic was insufficient when file paths contained repeated path roots such as `////home/user/.bashrc`. `node-tar` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. `///home/user/.bashrc`) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom `onentry` method which sanitizes the `entry.path` or a `filter` method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:N/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Oracle	Graalvm
Redhat	Acm Enterprise Linux Openshift Data Foundation Rhel Eus Rhel Software Collections
Siemens	Sinec Infrastructure Network Services
Tar Project	Tar

Configuration 1 [-]

OR	cpe:2.3:a:tar_project:tar::::::node.js::*
	cpe:2.3:a:tar_project:tar::::::node.js::*
	cpe:2.3:a:tar_project:tar::::::node.js::*
	cpe:2.3:a:tar_project:tar::::::node.js::*

Configuration 2 [-]

OR	cpe:2.3:a:oracle:graalvm:20.3.3::::enterprise:::
	cpe:2.3:a:oracle:graalvm:21.2.0::::enterprise:::

Configuration 3 [-]

cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Red Hat Advanced Cluster Management for Kubernetes 2
acm-grafana-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
acm-must-gather-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
acm-operator-bundle-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
application-ui-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
assisted-image-service-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
cert-policy-controller-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
cluster-backup-operator-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
clusterclaims-controller-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
cluster-curator-controller-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
clusterlifecycle-state-metrics-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
cluster-proxy-addon-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
config-policy-controller-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
console-api-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
console-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
discovery-operator-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
endpoint-monitoring-operator-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
governance-policy-propagator-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
governance-policy-spec-sync-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
governance-policy-status-sync-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
governance-policy-template-sync-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
grafana-dashboard-loader-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
grc-ui-api-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
grc-ui-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
iam-policy-controller-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
insights-client-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
insights-metrics-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
klusterlet-addon-controller-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
klusterlet-addon-operator-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
klusterlet-operator-bundle-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
kube-rbac-proxy-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
kube-state-metrics-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
managedcluster-import-controller-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
management-ingress-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
memcached-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
memcached-exporter-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
metrics-collector-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
multicloud-integrations-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
multicloud-manager-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
multiclusterhub-operator-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
multiclusterhub-repo-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
multicluster-observability-operator-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
multicluster-operators-application-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
multicluster-operators-channel-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
multicluster-operators-deployable-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
multicluster-operators-placementrule-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
multicluster-operators-subscription-operator-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
multicluster-operators-subscription-release-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
node-exporter-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
observatorium-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
observatorium-operator-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
openshift-hive-operator-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
placement-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
prometheus-alertmanager-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
prometheus-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
provider-credential-controller-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
rbac-query-proxy-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
redisgraph-tls-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
registration-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
registration-operator-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
rhacm-agent-service-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
rhacm-assisted-installer-agent-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
rhacm-assisted-installer-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
rhacm-assisted-installer-reporter-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
search-aggregator-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
search-api-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
search-collector-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
search-operator-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
search-ui-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
submariner-addon-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
thanos-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
thanos-receive-controller-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
volsync-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
volsync-mover-rclone-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
volsync-mover-restic-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
volsync-mover-rsync-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
work-container	cpe:/a:redhat:acm:2.4::el8	RHSA-2021:4618	2021-11-11T00:00:00Z
Red Hat Enterprise Linux 8
nodejs:12-8040020210817133458.522a0ee4	cpe:/a:redhat:enterprise_linux:8	RHSA-2021:3623	2021-09-21T00:00:00Z
nodejs:14-8040020210817165654.522a0ee4	cpe:/a:redhat:enterprise_linux:8	RHSA-2021:3666	2021-09-27T00:00:00Z
Red Hat Enterprise Linux 8.1 Extended Update Support
nodejs:12-8010020210817113128.c27ad7f8	cpe:/a:redhat:rhel_eus:8.1	RHSA-2021:3639	2021-09-22T00:00:00Z
Red Hat Enterprise Linux 8.2 Extended Update Support
nodejs:12-8020020210817125332.4cda2c84	cpe:/a:redhat:rhel_eus:8.2	RHSA-2021:3638	2021-09-22T00:00:00Z
Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8
odf4/cephcsi-rhel8:4.9-164.57484e3.release_4.9	cpe:/a:redhat:openshift_data_foundation:4.9::el8	RHSA-2021:5086	2021-12-13T00:00:00Z
odf4/ocs-must-gather-rhel8:4.9-257.4181add.release_4.9	cpe:/a:redhat:openshift_data_foundation:4.9::el8	RHSA-2021:5086	2021-12-13T00:00:00Z
odf4/ocs-operator-bundle:4.9.0-5	cpe:/a:redhat:openshift_data_foundation:4.9::el8	RHSA-2021:5086	2021-12-13T00:00:00Z
odf4/ocs-rhel8-operator:4.9-257.4181add.release_4.9	cpe:/a:redhat:openshift_data_foundation:4.9::el8	RHSA-2021:5086	2021-12-13T00:00:00Z
odf4/odf-console-rhel8:4.9-39.0f2fa23.release_4.9	cpe:/a:redhat:openshift_data_foundation:4.9::el8	RHSA-2021:5086	2021-12-13T00:00:00Z
odf4/odf-multicluster-operator-bundle:4.9.0-5	cpe:/a:redhat:openshift_data_foundation:4.9::el8	RHSA-2021:5086	2021-12-13T00:00:00Z
odf4/odf-multicluster-rhel8-operator:4.9-30.007b3d8.release_4.9	cpe:/a:redhat:openshift_data_foundation:4.9::el8	RHSA-2021:5086	2021-12-13T00:00:00Z
odf4/odf-operator-bundle:4.9.0-5	cpe:/a:redhat:openshift_data_foundation:4.9::el8	RHSA-2021:5086	2021-12-13T00:00:00Z
odf4/odf-rhel8-operator:4.9-59.c8bbc1f.release_4.9	cpe:/a:redhat:openshift_data_foundation:4.9::el8	RHSA-2021:5086	2021-12-13T00:00:00Z
odf4/odr-cluster-operator-bundle:4.9.0-5	cpe:/a:redhat:openshift_data_foundation:4.9::el8	RHSA-2021:5086	2021-12-13T00:00:00Z
odf4/odr-hub-operator-bundle:4.9.0-5	cpe:/a:redhat:openshift_data_foundation:4.9::el8	RHSA-2021:5086	2021-12-13T00:00:00Z
odf4/odr-rhel8-operator:4.9-27.3d037cc.release_4.9	cpe:/a:redhat:openshift_data_foundation:4.9::el8	RHSA-2021:5086	2021-12-13T00:00:00Z
odf4/rook-ceph-rhel8-operator:4.9-219.c3f67c6.release_4.9	cpe:/a:redhat:openshift_data_foundation:4.9::el8	RHSA-2021:5086	2021-12-13T00:00:00Z
odf4/volume-replication-rhel8-operator:4.9-28.82f68db.release_4.9	cpe:/a:redhat:openshift_data_foundation:4.9::el8	RHSA-2021:5086	2021-12-13T00:00:00Z
odf/odf-multicluster-rhel8-operator:4.9-30.007b3d8.release_4.9	cpe:/a:redhat:openshift_data_foundation:4.9::el8	RHSA-2021:5086	2021-12-13T00:00:00Z
Red Hat Software Collections for Red Hat Enterprise Linux 7
rh-nodejs14-nodejs-0:14.17.5-1.el7	cpe:/a:redhat:rhel_software_collections:3::el7	RHSA-2021:3280	2021-08-26T00:00:00Z
rh-nodejs12-nodejs-0:12.22.5-1.el7	cpe:/a:redhat:rhel_software_collections:3::el7	RHSA-2021:3281	2021-08-26T00:00:00Z
rh-nodejs12-nodejs-nodemon-0:2.0.3-5.el7	cpe:/a:redhat:rhel_software_collections:3::el7	RHSA-2021:3281	2021-08-26T00:00:00Z
Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS
rh-nodejs14-nodejs-0:14.17.5-1.el7	cpe:/a:redhat:rhel_software_collections:3::el7	RHSA-2021:3280	2021-08-26T00:00:00Z
rh-nodejs12-nodejs-0:12.22.5-1.el7	cpe:/a:redhat:rhel_software_collections:3::el7	RHSA-2021:3281	2021-08-26T00:00:00Z
rh-nodejs12-nodejs-nodemon-0:2.0.3-5.el7	cpe:/a:redhat:rhel_software_collections:3::el7	RHSA-2021:3281	2021-08-26T00:00:00Z

References

Link	Providers
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
https://github.com/npm/node-tar/commit/1f036ca23f64a547bdd6c79c1a44bc62e8115da4
https://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9
https://nvd.nist.gov/vuln/detail/CVE-2021-32804
https://www.cve.org/CVERecord?id=CVE-2021-32804
https://www.npmjs.com/advisories/1770
https://www.npmjs.com/package/tar
https://www.oracle.com/security-alerts/cpuoct2021.html

History

Sun, 08 Sep 2024 18:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat acm
CPEs		cpe:/a:redhat:acm:2.4::el8
Vendors & Products		Redhat acm

Mon, 19 Aug 2024 22:15:00 +0000

Type	Values Removed	Values Added
CPEs	~~cpe:/a:redhat:acm:2.4::el8~~
Vendors & Products	Redhat acm

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-08-03T19:10:12

Updated: 2024-08-03T23:33:56.070Z

Reserved: 2021-05-12T00:00:00

Link: CVE-2021-32804

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-08-03T19:15:08.410

Modified: 2024-11-21T06:07:46.800

Link: CVE-2021-32804

Redhat

Severity : Moderate

Publid Date: 2021-08-03T00:00:00Z

Links: CVE-2021-32804 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "node-tar", "vendor": "npm", "versions": [{"status": "affected", "version": "< 3.2.2"}, {"status": "affected", "version": ">= 4.0.0, < 4.4.14"}, {"status": "affected", "version": ">= 5.0.0, < 5.0.6"}, {"status": "affected", "version": ">= 6.0.0, < 6.1.1"}]}], "descriptions": [{"lang": "en", "value": "The npm package \"tar\" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example `/home/user/.bashrc` would turn into `home/user/.bashrc`. This logic was insufficient when file paths contained repeated path roots such as `////home/user/.bashrc`. `node-tar` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. `///home/user/.bashrc`) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom `onentry` method which sanitizes the `entry.path` or a `filter` method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-03-08T14:07:16", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.npmjs.com/package/tar"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/npm/node-tar/commit/1f036ca23f64a547bdd6c79c1a44bc62e8115da4"}, {"tags": ["x_refsource_MISC"], "url": "https://www.npmjs.com/advisories/1770"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"}], "source": {"advisory": "GHSA-3jfq-g458-7qm9", "discovery": "UNKNOWN"}, "title": "Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-32804", "STATE": "PUBLIC", "TITLE": "Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "node-tar", "version": {"version_data": [{"version_value": "< 3.2.2"}, {"version_value": ">= 4.0.0, < 4.4.14"}, {"version_value": ">= 5.0.0, < 5.0.6"}, {"version_value": ">= 6.0.0, < 6.1.1"}]}}]}, "vendor_name": "npm"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The npm package \"tar\" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example `/home/user/.bashrc` would turn into `home/user/.bashrc`. This logic was insufficient when file paths contained repeated path roots such as `////home/user/.bashrc`. `node-tar` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. `///home/user/.bashrc`) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom `onentry` method which sanitizes the `entry.path` or a `filter` method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}]}, "references": {"reference_data": [{"name": "https://www.npmjs.com/package/tar", "refsource": "MISC", "url": "https://www.npmjs.com/package/tar"}, {"name": "https://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9", "refsource": "CONFIRM", "url": "https://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9"}, {"name": "https://github.com/npm/node-tar/commit/1f036ca23f64a547bdd6c79c1a44bc62e8115da4", "refsource": "MISC", "url": "https://github.com/npm/node-tar/commit/1f036ca23f64a547bdd6c79c1a44bc62e8115da4"}, {"name": "https://www.npmjs.com/advisories/1770", "refsource": "MISC", "url": "https://www.npmjs.com/advisories/1770"}, {"name": "https://www.oracle.com/security-alerts/cpuoct2021.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}, {"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", "refsource": "CONFIRM", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"}]}, "source": {"advisory": "GHSA-3jfq-g458-7qm9", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T23:33:56.070Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.npmjs.com/package/tar"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/npm/node-tar/commit/1f036ca23f64a547bdd6c79c1a44bc62e8115da4"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.npmjs.com/advisories/1770"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-32804", "datePublished": "2021-08-03T19:10:12", "dateReserved": "2021-05-12T00:00:00", "dateUpdated": "2024-08-03T23:33:56.070Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tar_project:tar:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "48083832-29DB-4428-836C-BC1072AC6384", "versionEndExcluding": "3.2.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:tar_project:tar:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "77DE1692-7EF1-43FF-95CB-B1EAA8CB030B", "versionEndExcluding": "4.4.14", "versionStartIncluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:tar_project:tar:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "EF8B9011-1EAA-4D9E-89CA-597D7309EE66", "versionEndExcluding": "5.0.6", "versionStartIncluding": "5.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:tar_project:tar:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "24EC2FC6-7549-4C94-9560-54A88703BCA5", "versionEndExcluding": "6.1.1", "versionStartIncluding": "6.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:graalvm:20.3.3:*:*:*:enterprise:*:*:*", "matchCriteriaId": "53B2BB06-A2F7-4603-89C3-C8500E55483A", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:graalvm:21.2.0:*:*:*:enterprise:*:*:*", "matchCriteriaId": "01E88C86-8C04-4A4A-BF45-9082AA783056", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:*", "matchCriteriaId": "B0F46497-4AB0-49A7-9453-CC26837BF253", "versionEndExcluding": "1.0.1.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The npm package \"tar\" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example `/home/user/.bashrc` would turn into `home/user/.bashrc`. This logic was insufficient when file paths contained repeated path roots such as `////home/user/.bashrc`. `node-tar` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. `///home/user/.bashrc`) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom `onentry` method which sanitizes the `entry.path` or a `filter` method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar."}, {"lang": "es", "value": "El paquete npm \"tar\" (tambi\u00e9n se conoce como node-tar) versiones anteriores a 6.1.1, 5.0.6, 4.4.14 y 3.3.2, presenta una vulnerabilidad de Creaci\u00f3n y Sobrescritura de archivos arbitraria debido a un saneo insuficiente de rutas absolutas. node-tar pretende impedir la extracci\u00f3n de rutas absolutas de archivos al convertir las rutas absolutas en relativas cuando el flag \"preservePaths\" no est\u00e1 establecido en \"true\". Esto se consigue eliminando el root de la ruta absoluta de cualquier ruta de archivo absoluta contenida en un archivo tar. Por ejemplo, \"home/user/.bashrc\" se convertir\u00eda en \"home/user/.bashrc\". Esta l\u00f3gica era insuficiente cuando las rutas de los archivos conten\u00edan roots de ruta repetidas, como \"////home/user/.bashrc\". \"node-tar\" s\u00f3lo eliminaba un \u00fanico root de esas rutas. Cuando se daba una ruta de archivo absoluta con ra\u00edces de ruta repetidas, la ruta resultante (por ejemplo, \"///home/user/.bashrc\") segu\u00eda resolvi\u00e9ndose como una ruta absoluta, permitiendo as\u00ed la creaci\u00f3n y sobrescritura de archivos arbitraria. Este problema se ha solucionado en las versiones 3.2.2, 4.4.14, 5.0.6 y 6.1.1. Los usuarios pueden solucionar esta vulnerabilidad sin necesidad de actualizar al crear un m\u00e9todo personalizado \"onentry\" que sanee \"entry.path\" o un m\u00e9todo \"filter\" que elimine las entradas con rutas absolutas. Consulte el aviso de GitHub mencionado para obtener m\u00e1s detalles. Tenga en cuenta CVE-2021-32803 que corrige un error similar en versiones posteriores de tar"}], "id": "CVE-2021-32804", "lastModified": "2024-11-21T06:07:46.800", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.8, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-08-03T19:15:08.410", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/npm/node-tar/commit/1f036ca23f64a547bdd6c79c1a44bc62e8115da4"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://www.npmjs.com/advisories/1770"}, {"source": "security-advisories@github.com", "tags": ["Product", "Third Party Advisory"], "url": "https://www.npmjs.com/package/tar"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/npm/node-tar/commit/1f036ca23f64a547bdd6c79c1a44bc62e8115da4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://www.npmjs.com/advisories/1770"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product", "Third Party Advisory"], "url": "https://www.npmjs.com/package/tar"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "acm-grafana-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "acm-must-gather-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "acm-operator-bundle-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "application-ui-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "assisted-image-service-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "cert-policy-controller-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "cluster-backup-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "clusterclaims-controller-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "cluster-curator-controller-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "clusterlifecycle-state-metrics-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "cluster-proxy-addon-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "config-policy-controller-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "console-api-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "console-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "discovery-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "endpoint-monitoring-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "governance-policy-propagator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "governance-policy-spec-sync-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "governance-policy-status-sync-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "governance-policy-template-sync-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "grafana-dashboard-loader-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "grc-ui-api-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "grc-ui-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "iam-policy-controller-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "insights-client-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "insights-metrics-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "klusterlet-addon-controller-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "klusterlet-addon-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "klusterlet-operator-bundle-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "kube-rbac-proxy-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "kube-state-metrics-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "managedcluster-import-controller-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "management-ingress-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "memcached-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "memcached-exporter-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "metrics-collector-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "multicloud-integrations-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "multicloud-manager-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "multiclusterhub-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "multiclusterhub-repo-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "multicluster-observability-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "multicluster-operators-application-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "multicluster-operators-channel-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "multicluster-operators-deployable-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "multicluster-operators-placementrule-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "multicluster-operators-subscription-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "multicluster-operators-subscription-release-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "node-exporter-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "observatorium-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "observatorium-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "openshift-hive-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "placement-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "prometheus-alertmanager-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "prometheus-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "provider-credential-controller-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "rbac-query-proxy-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "redisgraph-tls-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "registration-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "registration-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "rhacm-agent-service-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "rhacm-assisted-installer-agent-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "rhacm-assisted-installer-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "rhacm-assisted-installer-reporter-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "search-aggregator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "search-api-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "search-collector-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "search-operator-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "search-ui-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "submariner-addon-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "thanos-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "thanos-receive-controller-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "volsync-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "volsync-mover-rclone-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "volsync-mover-restic-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "volsync-mover-rsync-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:4618", "cpe": "cpe:/a:redhat:acm:2.4::el8", "package": "work-container", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2", "release_date": "2021-11-11T00:00:00Z"}, {"advisory": "RHSA-2021:3623", "cpe": "cpe:/a:redhat:enterprise_linux:8", "impact": "moderate", "package": "nodejs:12-8040020210817133458.522a0ee4", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-09-21T00:00:00Z"}, {"advisory": "RHSA-2021:3666", "cpe": "cpe:/a:redhat:enterprise_linux:8", "impact": "moderate", "package": "nodejs:14-8040020210817165654.522a0ee4", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-09-27T00:00:00Z"}, {"advisory": "RHSA-2021:3639", "cpe": "cpe:/a:redhat:rhel_eus:8.1", "package": "nodejs:12-8010020210817113128.c27ad7f8", "product_name": "Red Hat Enterprise Linux 8.1 Extended Update Support", "release_date": "2021-09-22T00:00:00Z"}, {"advisory": "RHSA-2021:3638", "cpe": "cpe:/a:redhat:rhel_eus:8.2", "package": "nodejs:12-8020020210817125332.4cda2c84", "product_name": "Red Hat Enterprise Linux 8.2 Extended Update Support", "release_date": "2021-09-22T00:00:00Z"}, {"advisory": "RHSA-2021:5086", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.9::el8", "package": "odf4/cephcsi-rhel8:4.9-164.57484e3.release_4.9", "product_name": "Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8", "release_date": "2021-12-13T00:00:00Z"}, {"advisory": "RHSA-2021:5086", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.9::el8", "package": "odf4/ocs-must-gather-rhel8:4.9-257.4181add.release_4.9", "product_name": "Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8", "release_date": "2021-12-13T00:00:00Z"}, {"advisory": "RHSA-2021:5086", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.9::el8", "package": "odf4/ocs-operator-bundle:4.9.0-5", "product_name": "Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8", "release_date": "2021-12-13T00:00:00Z"}, {"advisory": "RHSA-2021:5086", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.9::el8", "package": "odf4/ocs-rhel8-operator:4.9-257.4181add.release_4.9", "product_name": "Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8", "release_date": "2021-12-13T00:00:00Z"}, {"advisory": "RHSA-2021:5086", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.9::el8", "package": "odf4/odf-console-rhel8:4.9-39.0f2fa23.release_4.9", "product_name": "Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8", "release_date": "2021-12-13T00:00:00Z"}, {"advisory": "RHSA-2021:5086", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.9::el8", "package": "odf4/odf-multicluster-operator-bundle:4.9.0-5", "product_name": "Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8", "release_date": "2021-12-13T00:00:00Z"}, {"advisory": "RHSA-2021:5086", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.9::el8", "package": "odf4/odf-multicluster-rhel8-operator:4.9-30.007b3d8.release_4.9", "product_name": "Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8", "release_date": "2021-12-13T00:00:00Z"}, {"advisory": "RHSA-2021:5086", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.9::el8", "package": "odf4/odf-operator-bundle:4.9.0-5", "product_name": "Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8", "release_date": "2021-12-13T00:00:00Z"}, {"advisory": "RHSA-2021:5086", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.9::el8", "package": "odf4/odf-rhel8-operator:4.9-59.c8bbc1f.release_4.9", "product_name": "Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8", "release_date": "2021-12-13T00:00:00Z"}, {"advisory": "RHSA-2021:5086", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.9::el8", "package": "odf4/odr-cluster-operator-bundle:4.9.0-5", "product_name": "Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8", "release_date": "2021-12-13T00:00:00Z"}, {"advisory": "RHSA-2021:5086", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.9::el8", "package": "odf4/odr-hub-operator-bundle:4.9.0-5", "product_name": "Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8", "release_date": "2021-12-13T00:00:00Z"}, {"advisory": "RHSA-2021:5086", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.9::el8", "package": "odf4/odr-rhel8-operator:4.9-27.3d037cc.release_4.9", "product_name": "Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8", "release_date": "2021-12-13T00:00:00Z"}, {"advisory": "RHSA-2021:5086", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.9::el8", "package": "odf4/rook-ceph-rhel8-operator:4.9-219.c3f67c6.release_4.9", "product_name": "Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8", "release_date": "2021-12-13T00:00:00Z"}, {"advisory": "RHSA-2021:5086", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.9::el8", "package": "odf4/volume-replication-rhel8-operator:4.9-28.82f68db.release_4.9", "product_name": "Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8", "release_date": "2021-12-13T00:00:00Z"}, {"advisory": "RHSA-2021:5086", "cpe": "cpe:/a:redhat:openshift_data_foundation:4.9::el8", "package": "odf/odf-multicluster-rhel8-operator:4.9-30.007b3d8.release_4.9", "product_name": "Red Hat OpenShift Data Foundation 4.9.0 on RHEL-8", "release_date": "2021-12-13T00:00:00Z"}, {"advisory": "RHSA-2021:3280", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "impact": "moderate", "package": "rh-nodejs14-nodejs-0:14.17.5-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2021-08-26T00:00:00Z"}, {"advisory": "RHSA-2021:3281", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "impact": "moderate", "package": "rh-nodejs12-nodejs-0:12.22.5-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2021-08-26T00:00:00Z"}, {"advisory": "RHSA-2021:3281", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "impact": "moderate", "package": "rh-nodejs12-nodejs-nodemon-0:2.0.3-5.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2021-08-26T00:00:00Z"}, {"advisory": "RHSA-2021:3280", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "impact": "moderate", "package": "rh-nodejs14-nodejs-0:14.17.5-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2021-08-26T00:00:00Z"}, {"advisory": "RHSA-2021:3281", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "impact": "moderate", "package": "rh-nodejs12-nodejs-0:12.22.5-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2021-08-26T00:00:00Z"}, {"advisory": "RHSA-2021:3281", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "impact": "moderate", "package": "rh-nodejs12-nodejs-nodemon-0:2.0.3-5.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2021-08-26T00:00:00Z"}], "bugzilla": {"description": "nodejs-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite", "id": "1990409", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1990409"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "status": "verified"}, "cwe": "CWE-22", "details": ["The npm package \"tar\" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example `/home/user/.bashrc` would turn into `home/user/.bashrc`. This logic was insufficient when file paths contained repeated path roots such as `////home/user/.bashrc`. `node-tar` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. `///home/user/.bashrc`) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom `onentry` method which sanitizes the `entry.path` or a `filter` method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar.", "The npm package \"tar\" (aka node-tar) has an arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file."], "name": "CVE-2021-32804", "package_state": [{"cpe": "cpe:/a:redhat:service_mesh:2.0", "fix_state": "Will not fix", "package_name": "servicemesh-grafana", "product_name": "OpenShift Service Mesh 2.0"}, {"cpe": "cpe:/a:redhat:service_mesh:2.0", "fix_state": "Will not fix", "package_name": "servicemesh-prometheus", "product_name": "OpenShift Service Mesh 2.0"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "impact": "low", "package_name": "rhacm2/application-ui-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Fix deferred", "impact": "low", "package_name": "rhacm2/console-header-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Fix deferred", "impact": "low", "package_name": "rhacm2/console-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Fix deferred", "impact": "low", "package_name": "rhacm2/console-ui-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Affected", "impact": "low", "package_name": "rhacm2/grc-ui-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Fix deferred", "impact": "low", "package_name": "rhacm2/kui-web-terminal-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Fix deferred", "impact": "low", "package_name": "rhacm2/mcm-topology-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Affected", "impact": "low", "package_name": "rhacm2/search-ui-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "nodejs:16/nodejs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "nodejs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "impact": "moderate", "package_name": "tar-pack", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Will not fix", "impact": "moderate", "package_name": "openshift4/ose-grafana", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Affected", "impact": "moderate", "package_name": "ocs4/mcg-core-rhel8", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Affected", "impact": "moderate", "package_name": "openshift-gitops-1/argocd-rhel8", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Not affected", "impact": "moderate", "package_name": "quay", "product_name": "Red Hat Quay 3"}], "public_date": "2021-08-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-32804\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-32804\nhttps://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9"], "statement": "Red Hat Quay 3.3 uses an affected version of nodejs-tar. However Quay 3.3 is in extended life phase and a fix will not be delivered[1]. More recent versions of Red Hat Quay do not include nodejs-tar and are not affected.\n1. https://access.redhat.com/support/policy/updates/rhquay\nRed Hat Enterprise Linux version 8 and Red Hat Software Collection both embed node-tar in the npm command. A specially crafted node module could create and overwrite files outside of its dedicated directory.", "threat_severity": "Moderate"}

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

Affected Vendors & Products

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object