Symlink Arbitrary File Overwrite

Module: tar

Published: November 3rd, 2015

Reported by: Tim Cuthbertson

CVE-2015-8860

CWE-59

Vulnerable: <2.0.0
Patched: >=2.0.0

Overview

The tar module earlier than version 2.0.0 allow for archives to contain symbolic links that will overwrite targets outside the expected path for extraction.

Remediation

Update to a version 2.0.0 or greater

References

Sign up FREE for
nsp Continuous Security

Free for open source and the first private repo,
then just $1/mo per private repo