GHSA-xf7w-r453-m56c

Suggest an improvement
Source
https://github.com/advisories/GHSA-xf7w-r453-m56c
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/05/GHSA-xf7w-r453-m56c/GHSA-xf7w-r453-m56c.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-xf7w-r453-m56c
Aliases
Published
2019-05-30T17:19:34Z
Modified
2023-11-08T04:01:07.720925Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
Arbitrary File Overwrite in fstream
Details

Versions of fstream prior to 1.0.12 are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system and a file that matches the hardlink will overwrite the system's file with the contents of the extracted file. The fstream.DirWriter() function is vulnerable.

Recommendation

Upgrade to version 1.0.12 or later.

Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-59"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2019-05-30T17:17:33Z"
}
References

Affected packages

npm / fstream

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.0.12

Ecosystem specific

{
    "affected_functions": [
        "(fstream).DirWriter"
    ]
}