A vulnerability was found in nodejs-tar before version 4.4.2. An Arbitrary File Overwrite when extracting tarballs containing a hard-link to a file that already exists in the system, and a file that matches the hard-link may overwrite system's files with the contents of the extracted file.
Created nodejs-tar tracking bugs for this issue:
Affects: epel-all [bug 1702339]
Affects: fedora-all [bug 1702340]
Raised the CVSS score to CIA:HHH as the specially crafted tar file could overwrite files that would allow an attacker to execute code on the victim's machine as his user.
Red Hat Software Collection Node.js 10 (rh-nodejs10-nodejs) is not affected by this flaw because it already contains the patched code.
This issue has been addressed in the following products:
Red Hat Software Collections for Red Hat Enterprise Linux 7
Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
Via RHSA-2019:1821 https://access.redhat.com/errata/RHSA-2019:1821
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):