Vulnerability Details : CVE-2018-20835
A vulnerability was found in tar-fs before 1.16.2. An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content.
Vulnerability category: Input validation
Products affected by CVE-2018-20835
- cpe:2.3:a:tar-fs_project:tar-fs:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-20835
0.20%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 58 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-20835
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.4
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:P |
10.0
|
4.9
|
NIST | |
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2018-20835
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-20835
-
https://github.com/mafintosh/tar-fs/commit/06672828e6fa29ac8551b1b6f36c852a9a3c58a2
force hardlink targets to be in the tar · mafintosh/tar-fs@0667282 · GitHubPatch;Third Party Advisory
-
https://hackerone.com/reports/344595
#344595 Arbitrary file overwrites in `node-tar`Exploit;Third Party Advisory
-
https://github.com/mafintosh/tar-fs/compare/d590fc7...a35ce2f
Comparing d590fc7...a35ce2f · mafintosh/tar-fs · GitHubPatch;Third Party Advisory
Jump to