CVE-2020-28949 : Archive_Tar through 1.4.10 has :// filename sanitization only to address phar at

Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed.

Published 2020-11-19 19:15:12

Updated 2025-02-07 14:15:48

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2020-28949

Debian » Debian Linux » Version: 9.0
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 10.0
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Matching versions
PHP » Archive Tar
Versions before (<) 1.4.12
cpe:2.3:a:php:archive_tar:*:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal
Versions from including (>=) 8.0.0 and before (<) 8.9.10
cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal
Versions from including (>=) 9.0.0 and before (<) 9.0.9
cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal
Versions from including (>=) 8.8.0 and before (<) 8.8.12
cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*
Matching versions
Drupal » Drupal
Versions from including (>=) 7.0 and before (<) 7.75
cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 32
cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 33
cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 34
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 35
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
Matching versions

CVE-2020-28949 is in the CISA Known Exploited Vulnerabilities Catalog

CISA vulnerability name:

PEAR Archive_Tar Deserialization of Untrusted Data Vulnerability

CISA required action:

Apply updates per vendor instructions.

CISA description:

PEAR Archive_Tar allows an unserialization attack because phar: is blocked but PHAR: is not blocked. PEAR stands for PHP Extension and Application Repository and it is an open-source framework and distribution system for reusable PHP components with known usage in third-party products such as Drupal

Notes:

https://pear.php.net/bugs/bug.php?id=27002, https://www.drupal.org/sa-core-2020-013, https://access.redhat.com/security/cve/cve-2020-28949; https://nvd.nist.gov/vuln/detail/CVE-2020-28949

Added on 2022-08-25 Action due date 2022-09-15

Exploit prediction scoring system (EPSS) score for CVE-2020-28949

EPSS FAQ

93.09%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 100 %

Percentile, the proportion of vulnerabilities that are scored at or less

Metasploit modules for CVE-2020-28949

PEAR Archive_Tar 1.4.10 Arbitrary File Write

Disclosure Date: 2020-11-17

First seen: 2021-03-12

exploit/multi/fileformat/archive_tar_arb_file_write

This module takes advantages of Archive_Tar <= 1.4.10's lack of validation of file stream wrappers contained within filenames to write an arbitrary file containing user controlled content to an arbitrary file on disk. Note that the file will be written to disk with the

More information

CVSS scores for CVE-2020-28949

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
6.8	MEDIUM	AV:N/AC:M/Au:N/C:P/I:P/A:P	8.6	6.4	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
7.8	HIGH	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	1.8	5.9	134c704f-9b21-4f2e-91b3-4a467353bcc0	2025-02-07
Attack Vector: Local Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High
7.8	HIGH	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	1.8	5.9	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High

References for CVE-2020-28949

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4V35LBRM6HBCXBVCITKQ4UEBTXO2EG7B/

[SECURITY] Fedora 33 Update: php-pear-1.10.12-4.fc33 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory
https://security.gentoo.org/glsa/202101-23

PEAR Archive_Tar: Directory traversal (GLSA 202101-23) — Gentoo security
Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437/

[SECURITY] Fedora 32 Update: drupal8-8.9.11-1.fc32 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url
http://packetstormsecurity.com/files/161095/PEAR-Archive_Tar-Arbitrary-File-Write.html

PEAR Archive_Tar Arbitrary File Write ≈ Packet Storm
Exploit;Third Party Advisory;VDB Entry
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437/

Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VJQQYDAOWHD6RDITDRPHFW7WY6BS3V5N/

[SECURITY] Fedora 34 Update: drupal7-7.82-1.fc34 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.debian.org/debian-lts-announce/2020/11/msg00045.html

[SECURITY] [DLA 2466-1] drupal7 security update
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4V35LBRM6HBCXBVCITKQ4UEBTXO2EG7B/

[SECURITY] Fedora 33 Update: php-pear-1.10.12-4.fc33 - package-announce - Fedora Mailing-Lists
Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/42GPGVVFTLJYAKRI75IVB5R45NYQGEUR/

[SECURITY] Fedora 35 Update: drupal7-7.82-1.fc35 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT/

Third Party Advisory

CVEs referencing this url
https://www.drupal.org/sa-core-2020-013

Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2020-013 | Drupal.org
Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT/

[SECURITY] Fedora 33 Update: drupal8-8.9.11-1.fc33 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VJQQYDAOWHD6RDITDRPHFW7WY6BS3V5N/

[SECURITY] Fedora 34 Update: drupal7-7.82-1.fc34 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url
https://github.com/pear/Archive_Tar/issues/33

Multiple vulnerabilities through filename manipulation · Issue #33 · pear/Archive_Tar · GitHub
Exploit;Issue Tracking;Vendor Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/42GPGVVFTLJYAKRI75IVB5R45NYQGEUR/

[SECURITY] Fedora 35 Update: drupal7-7.82-1.fc35 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url
https://www.debian.org/security/2020/dsa-4817

Debian -- Security Information -- DSA-4817-1 php-pear
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NBYZSHYTIOBK6V7C4N7TP6KIKCRKLVWP/

[SECURITY] Fedora 32 Update: php-pear-1.10.12-4.fc32 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NBYZSHYTIOBK6V7C4N7TP6KIKCRKLVWP/

[SECURITY] Fedora 32 Update: php-pear-1.10.12-4.fc32 - package-announce - Fedora Mailing-Lists
Third Party Advisory

CVEs referencing this url

Jump to