jspm-git@0.1.0

Vulnerabilities

2 via 2 paths

Dependencies

21

Source

npm

Find, fix and prevent vulnerabilities in your code.

Severity
  • 2
Status
  • 2
  • 0
  • 0

high severity

Arbitrary File Overwrite

  • Vulnerable module: tar
  • Introduced through: git-download@0.0.2

Detailed paths

  • Introduced through: jspm-git@0.1.0 git-download@0.0.2 tar@1.0.3

Overview

tar is a full-featured Tar for Node.js.

Affected versions of this package are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hard-link to a file that already exists in the system, and a file that matches the hard-link may overwrite system's files with the contents of the extracted file.

Remediation

Upgrade tar to version 2.2.2, 4.4.2 or higher.

References

high severity

Symlink File Overwrite

  • Vulnerable module: tar
  • Introduced through: git-download@0.0.2

Detailed paths

  • Introduced through: jspm-git@0.1.0 git-download@0.0.2 tar@1.0.3
    Remediation: Open PR to patch tar@1.0.3.

Overview

tar is a full-featured Tar for Node.js.

Affected versions of this package are vulnerable to Symlink File Overwrite. It does not properly normalize symbolic links pointing to targets outside the extraction root. As a result, packages may hold symbolic links to parent and sibling directories and overwrite those files when the package is extracted.

Remediation

Upgrade tar to version 2.0.0 or higher.

References