tar-fs is a filesystem bindings for tar-stream.

Affected versions of this package are vulnerable to Symlink Following via the symlink validation process in the inCwd function. An attacker can write files outside the intended extraction directory by crafting a malicious tarball that contains symlinks starting with the name of the current working directory.

Affected versions of this package are vulnerable to Symlink Attack via _untar_without_filter when used with Python versions that do not implement PEP 706 (<3.9.17, <3.10.12, <3.11.4, or <3.12). An attacker can write files outside the target directory by enticing the user to install a tar archive containing malicious symbolic links that are not properly validated to ensure they point within the intended extraction directory.

Note: This is only exploitable through the fallback tar extraction logic used with non-PEP 706 compliant Python versions; when using a Python version that implements PEP 706, pip doesn't use the vulnerable fallback code.

Affected versions of this package are vulnerable to Insufficient Session Expiration in the SpSessionTerminationSamlPortalFilter. An attacker can gain unauthorized access to user accounts by reusing old session tokens via the SLO API, causing the session to be reinitialized when it should be invalidated.