npm

Severity: critical

Symlink Arbitrary File Overwrite

tar

Overview

Versions of tar prior to 2.0.0 are affected by an arbitrary file write vulnerability. The vulnerability occurs because tar does not verify that extracted symbolic links to not resolve to targets outside of the extraction root directory.

Remediation

Update to version 2.0.0 or later

Resources

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory published
    Nov 3rd, 2015
  2. reported

    Initial report by Tim Cuthbertson
    Nov 3rd, 2015