Rust tar-rs Arbitrary File Overwrite via Symlink/Hardlink (CVE-2018-20990)

Vulnerability ID: RUSTSEC-2018-0002 Vulnerability Description: Links in archives can overwrite any existing file Report Date: June 29, 2018 Release Date: October 1, 2020 (Last Modified: June 13, 2023) Affected Package: tar (crates.io) Vulnerability Type: Vulnerability Keywords: #file-overwrite Aliases: - CVE-2018-20990 - GHSA-2367-c296-3mp2 Reference Link: https://github.com/alexcrichton/tar-rs/pull/156 CVSS Score: 7.5 (HIGH) CVSS Details: - Attack Vector: Network - Attack Complexity: Low - Required Privileges: None - User Interaction: None - Scope: Unchanged - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Fixed Version: >=0.4.16 Description: When unpacking a tarball using the family of functions, the intention is to write files only within the specified directory. However, if the tarball contains hard links or symbolic links, these can be exploited to overwrite any file on the filesystem. A tarball can contain multiple entries for the same file. If a tarball first includes a hard link or symbolic link pointing to any file on the filesystem, the link is created. Subsequently, if the same file appears again in the tarball, the hard link is overwritten, allowing any file on the filesystem to be overwritten. This issue was fixed in https://github.com/alexcrichton/tar-rs/pull/156 and released as 0.4.16. Thanks to Max Justicz for discovering this issue and reporting it via email! Consultation Agreement: CC0-1.0

Goal Reached Thanks to every supporter — we hit 100%!

Rust tar-rs Arbitrary File Overwrite via Symlink/Hardlink (CVE-2018-20990)