CVE-2023-31483

Vulnerability

The vulnerability exists in tar/TarFileReader.cpp of Cauldron Development LLC's cbang library prior to version bastet-v8.1.17. The TarFileReader::extract function uses an improper string comparison between canonical paths via startsWith in String.cpp, which returns true for certain path traversal sequences. This allows a crafted tar archive to bypass the directory traversal check. The issue was fixed in commit bastet-v8.1.17 [1][2].

Exploitation

An attacker needs to craft a tar archive with path entries that include traversal sequences (e.g., ../) that exploit the flawed startsWith comparison. The attacker must convince a user or service to extract this archive using the vulnerable version of cbang's tar extraction functionality. No special network position or authentication is required beyond the ability to deliver the tar file. The extraction process will write files outside the intended extraction directory [2].

Impact

Successful exploitation allows an attacker to create or overwrite files anywhere on the filesystem where the extracting process has write permissions. This can lead to arbitrary file write, potentially resulting in code execution (e.g., overwriting configuration files or scripts) or denial of service. The compromise scope depends on the privileges of the user running the extraction [2].

Mitigation

The vulnerability is fixed in version bastet-v8.1.17 of cbang, released on or before 2023-04-28 [1]. Users should update to this version or later. There is no known workaround for this issue. The CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.