CVE-2024-12905

An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package.

This issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.8.

References

Affected packages

Git / github.com/mafintosh/tar-fs

Affected ranges

Type

GIT

Repo

https://github.com/mafintosh/tar-fs

Events

Introduced

0f54a78bcc8735c4257177fd004c2f9e55c588bb

Fixed

d97731b0e1b8a244ab859784b514cfcf5585ad3d

Introduced

6d66143dc5e40480dd6135a4453f6da26a5602e0

Fixed

e4a7a401e80267247b8e9e39d8e5ba82c4fe2f7b

Fixed

a1dd7e7c7f4b4a8bd2ab60f513baca573b44e2ed

Database specific

{
    "versions": [
        {
            "introduced": "2.0.0"
        },
        {
            "fixed": "2.1.2"
        },
        {
            "introduced": "3.0.0"
        },
        {
            "fixed": "3.0.8"
        }
    ]
}

Affected versions

v2.*

v2.0.0

v2.0.1

v2.1.0

v2.1.1

v3.*

v3.0.0

v3.0.1

v3.0.2

v3.0.3

v3.0.4

v3.0.5

v3.0.6

v3.0.7

Database specific

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0.0.0"
            },
            {
                "fixed": "1.16.4"
            }
        ]
    }
]

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-12905.json"