RUSTSEC-2021-0080: 
Rust vulnerability analysis and mitigation

The tar crate for Rust (before version 0.4.36) contains a directory traversal vulnerability identified as RUSTSEC-2021-0080 (CVE-2021-38511). The vulnerability was discovered and disclosed in August 2021, affecting the tar package's archive extraction functionality. When symlinks are present in a TAR archive, the extraction process can be exploited to create arbitrary directories outside the intended destination directory through path traversal using '..' sequences (NVD, CVE).

The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N. The issue is classified under CWE-59 (Improper Link Resolution Before File Access). The vulnerability stems from improper handling of symbolic links during archive extraction, where the tar crate fails to properly validate paths when creating directories, allowing for directory traversal attacks (NVD).

When exploited, this vulnerability allows attackers to create directories outside the intended extraction directory through path traversal. This can lead to unauthorized file system access and potential privilege escalation, as the application may create directories in unintended locations with potentially elevated privileges (NVD).

The vulnerability has been patched in version 0.4.36 of the tar crate. Users are strongly advised to upgrade to this version or later to mitigate the security risk. No alternative workarounds have been publicly documented (NVD).