UBUNTU-CVE-2024-12905

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2024-12905

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-12905.json

JSON Data

https://api.test.osv.dev/v1/vulns/UBUNTU-CVE-2024-12905

Related

CVE-2024-12905

Published

2025-03-27T17:15:00Z

Modified

2025-04-02T17:02:36Z

Summary

[none]

Details

An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package. This issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.8.

References

Affected packages

Ubuntu:22.04:LTS / node-tar-fs

Package

Name: node-tar-fs
Purl: pkg:deb/ubuntu/node-tar-fs@2.1.1-6?arch=source&distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.1.1-2

2.1.1-4

2.1.1-6

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:24.10 / node-tar-fs

Package

Name: node-tar-fs
Purl: pkg:deb/ubuntu/node-tar-fs@2.1.1-6?arch=source&distro=oracular

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.1.1-6

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:24.04:LTS / node-tar-fs

Package

Name: node-tar-fs
Purl: pkg:deb/ubuntu/node-tar-fs@2.1.1-6?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.1.1-6

Ecosystem specific

{
    "ubuntu_priority": "medium"
}