7.5

CVSS Score

3.0

Basic Information

CVE ID

CVE-2018-20990

GHSA ID

GHSA-2367-c296-3mp2

EPSS Score

0.52847%

CWE

CWE-59

Published

8/25/2021

Updated

6/13/2023

KEV Status

Technology

Rust

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2018-20990

CVE-2018-20990: Arbitrary file overwrite in tar-rs

When unpacking a tarball with the unpack_in-family of functions it's intended that only files within the specified directory are able to be written. Tarballs with hard links or symlinks, however, can be used to overwrite any file on the filesystem. Tarballs can contain multiple entries for the same file. A tarball which first contains an entry for a hard link or symlink pointing to any file on the filesystem will have the link created, and then afterwards if the same file is listed in the tarball the hard link will be rewritten and any file can be rewritten on the filesystem.

(GitHub Advisory)

7.5

CVSS Score

3.0

Basic Information

CVE ID

CVE-2018-20990

GHSA ID

GHSA-2367-c296-3mp2

EPSS Score

0.52847%

CWE

CWE-59

Published

8/25/2021

Updated

6/13/2023

KEV Status

Technology

Rust

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
tar	rust	< 0.4.16	0.4.16

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from two key issues: 1) Inadequate validation of hard link destinations in unpack_in allowed escaping the target directory via canonicalization checks. The commit added validate_inside_dst to address this. 2) The regular file unpack path didn't remove existing files first, enabling symlink/hardlink attacks. The patch added explicit file removal before creation. Both issues are clearly shown in the diff modifying entry.rs's unpack logic and hard link handling.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W**n unp**kin* * t*r**ll wit* t** unp**k_in-**mily o* *un*tions it's int*n*** t**t only *il*s wit*in t** sp**i*i** *ir**tory *r* **l* to ** writt*n. T*r**lls wit* **r* links or symlinks, *ow*v*r, **n ** us** to ov*rwrit* *ny *il* on t** *il*syst*m. T

Reasoning

T** vuln*r**ility st*mm** *rom two k*y issu*s: *) In***qu*t* v*li**tion o* **r* link **stin*tions in unp**k_in *llow** *s**pin* t** t*r**t *ir**tory vi* **noni**liz*tion ****ks. T** *ommit ***** v*li**t*_insi**_*st to ***r*ss t*is. *) T** r**ul*r *il

7.5

Basic Information

Concerned about an active attack path?

CVE-2018-20990: Arbitrary file overwrite in tar-rs

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI