Symlink Arbitrary File Overwrite

Module: tar

Published: November 3rd, 2015

Reported by: Tim Cuthbertson

CVE-2015-8860

CWE-59

Vulnerable: <2.0.0
Patched: >=2.0.0

Overview

Versions of tar prior to 2.0.0 are affected by an arbitrary file write vulnerability. The vulnerability occurs because tar does not verify that extracted symbolic links to not resolve to targets outside of the extraction root directory.

Remediation

Update to version 2.0.0 or later

References

Release v2.7.5