crates.io package
tar
pkg:cargo/tar
Vulnerabilities (3)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-33056 | — | < 0.4.45 | 0.4.45 | Mar 20, 2026 | tar-rs is a tar archive reading/writing library for Rust. In versions 0.4.44 and below, when unpacking a tar archive, the tar crate's unpack_dir function uses fs::metadata() to check whether a path that already exists is a directory. Because fs::metadata() follows symbolic links, | ||
| CVE-2021-38511 | — | < 0.4.36 | 0.4.36 | Aug 10, 2021 | An issue was discovered in the tar crate before 0.4.36 for Rust. When symlinks are present in a TAR archive, extraction can create arbitrary directories via .. traversal. | ||
| CVE-2018-20990 | — | < 0.4.16 | 0.4.16 | Aug 26, 2019 | An issue was discovered in the tar crate before 0.4.16 for Rust. Arbitrary file overwrite can occur via a symlink or hardlink in a TAR archive. |
- CVE-2026-33056Mar 20, 2026affected < 0.4.45fixed 0.4.45
tar-rs is a tar archive reading/writing library for Rust. In versions 0.4.44 and below, when unpacking a tar archive, the tar crate's unpack_dir function uses fs::metadata() to check whether a path that already exists is a directory. Because fs::metadata() follows symbolic links,
- CVE-2021-38511Aug 10, 2021affected < 0.4.36fixed 0.4.36
An issue was discovered in the tar crate before 0.4.36 for Rust. When symlinks are present in a TAR archive, extraction can create arbitrary directories via .. traversal.
- CVE-2018-20990Aug 26, 2019affected < 0.4.16fixed 0.4.16
An issue was discovered in the tar crate before 0.4.16 for Rust. Arbitrary file overwrite can occur via a symlink or hardlink in a TAR archive.