CVE-2021-38511: Links in archive can create arbitrary directories
(updated )
When unpacking a tarball that contains a symlink the tar crate may create directories outside of the directory it’s supposed to unpack into. The function errors when it’s trying to create a file, but the folders are already created at this point.
References
- github.com/advisories/GHSA-62jx-8vmh-4mcw
- github.com/alexcrichton/tar-rs
- github.com/alexcrichton/tar-rs/issues/238
- github.com/alexcrichton/tar-rs/pull/259
- nvd.nist.gov/vuln/detail/CVE-2021-38511
- raw.githubusercontent.com/rustsec/advisory-db/main/crates/tar/RUSTSEC-2021-0080.md
- rustsec.org/advisories/RUSTSEC-2021-0080.html
Code Behaviors & Features
Detect and mitigate CVE-2021-38511 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →