WS-2019-0047 (Medium) detected in tar-4.4.1.tgz #418

mend-bolt-for-github · 2019-04-26T17:35:22Z

WS-2019-0047 - Medium Severity Vulnerability

Vulnerable Library - tar-4.4.1.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-4.4.1.tgz

Dependency Hierarchy:

react-scripts-2.1.8.tgz (Root Library)
- fsevents-1.2.4.tgz
  - node-pre-gyp-0.10.0.tgz
    - ❌ tar-4.4.1.tgz (Vulnerable Library)

Found in HEAD commit: 68b7d336565170977b16d9f17e896b4cba3396b1

Vulnerability Details

Versions of node-tar prior to 4.4.2 are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink will overwrite the system's file with the contents of the extracted file.

Publish Date: 2019-04-05

URL: WS-2019-0047

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/803

Release Date: 2019-04-05

Fix Resolution: 4.4.2

Step up your Open Source Security Game with WhiteSource here

mend-bolt-for-github bot added the security vulnerability Security vulnerability detected by WhiteSource label Apr 26, 2019

jimmyleray closed this as completed May 4, 2019

greenkeeper bot mentioned this issue Aug 1, 2019

An in-range update of enzyme is breaking the build 🚨 #619

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

WS-2019-0047 (Medium) detected in tar-4.4.1.tgz #418

WS-2019-0047 (Medium) detected in tar-4.4.1.tgz #418

mend-bolt-for-github bot commented Apr 26, 2019

WS-2019-0047 (Medium) detected in tar-4.4.1.tgz #418

WS-2019-0047 (Medium) detected in tar-4.4.1.tgz #418

Comments

mend-bolt-for-github bot commented Apr 26, 2019

WS-2019-0047 - Medium Severity Vulnerability