Skip to main content

Archive Tar

3 CVEs product

Monthly

CVE-2021-32610 PHP HIGH PATCH This Week

In Archive_Tar before 1.4.14, symlinks can refer to targets outside of the extracted archive, a different vulnerability than CVE-2020-36193. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity.

Information Disclosure Archive Tar Debian Linux Fedora
NVD GitHub
CVSS 3.1
7.1
EPSS
73.4%
CVE-2020-28949 PHP HIGH POC KEV PATCH THREAT Act Now

Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Archive Tar Debian Linux Fedora Drupal
NVD GitHub
CVSS 3.1
7.8
EPSS
84.6%
CVE-2020-28948 PHP HIGH POC PATCH THREAT This Week

Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Archive Tar Debian Linux Fedora Drupal
NVD GitHub
CVSS 3.1
7.8
EPSS
47.5%
EPSS 73% CVSS 7.1
HIGH PATCH This Week

In Archive_Tar before 1.4.14, symlinks can refer to targets outside of the extracted archive, a different vulnerability than CVE-2020-36193. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity.

Information Disclosure Archive Tar Debian Linux +1
NVD GitHub
EPSS 85% CVSS 7.8
HIGH POC KEV PATCH THREAT Act Now

Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Archive Tar Debian Linux +2
NVD GitHub
EPSS 47% CVSS 7.8
HIGH POC PATCH THREAT This Week

Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Archive Tar Debian Linux +2
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy