{"id":"CVE-2018-20990","details":"An issue was discovered in the tar crate before 0.4.16 for Rust. Arbitrary file overwrite can occur via a symlink or hardlink in a TAR archive.","aliases":["GHSA-2367-c296-3mp2","RUSTSEC-2018-0002"],"modified":"2026-04-10T04:07:45.094382Z","published":"2019-08-26T13:15:11.070Z","references":[{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2018-0002.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/alexcrichton/tar-rs","events":[{"introduced":"0"},{"fixed":"b3ea06fcaf8b1bf38b4266da3e73bb43fbcbc2d5"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"0.4.16"}]}}],"versions":["0.1.0","0.1.11","0.1.6","0.1.8","0.1.9","0.2.1","0.2.10","0.2.11","0.2.12","0.2.13","0.2.14","0.2.2","0.2.4","0.2.5","0.2.6","0.2.7","0.2.8","0.2.9","0.3.0","0.3.1","0.3.2","0.3.3","0.4.0","0.4.1","0.4.10","0.4.11","0.4.12","0.4.13","0.4.14","0.4.15","0.4.2","0.4.3","0.4.4","0.4.5","0.4.6","0.4.7","0.4.8","0.4.9","v0.4.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-20990.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}