The Drupal project uses the PEAR Archive_Tar library. The PEAR Archive_Tar library has released a security update that impacts Drupal. For more information please see:
Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage.
According to the regular security release window schedule, November 25th would not typically be a core security window. However, this release is necessary because there are known exploits for one of core's dependencies and some configurations of Drupal are vulnerable.
{"id": "DRUPAL-SA-CORE-2020-013", "type": "drupal", "bulletinFamily": "software", "title": "Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2020-013\n", "description": "Project: \n\nDrupal core\n\nDate: \n\n2020-November-25\n\nSecurity risk: \n\n**Critical** 18\u221525 AC:Complex/A:User/CI:All/II:All/E:Exploit/TD:Uncommon\n\nVulnerability: \n\nArbitrary PHP code execution\n\nCVE IDs: \n\nCVE-2020-28949\n\nCVE-2020-28948\n\nDescription: \n\nThe Drupal project uses the PEAR Archive_Tar library. The PEAR Archive_Tar library has released a security update that impacts Drupal. For more information please see:\n\n * [CVE-2020-28948](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28948>)\n * [CVE-2020-28949](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28949>)\n\nMultiple vulnerabilities are possible if Drupal is configured to allow `.tar`, `.tar.gz`, `.bz2`, or `.tlz` file uploads and processes them.\n\n**To mitigate this issue, prevent untrusted users from uploading `.tar`, `.tar.gz`, `.bz2`, or `.tlz` files.**\n\nThis is a different issue than [SA-CORE-2019-012](<https://www.drupal.org/sa-core-2019-012>). Similar configuration changes may mitigate the problem until you are able to patch.\n\nSolution: \n\nInstall the latest version:\n\n * If you are using Drupal 9.0, update to [Drupal 9.0.9](<https://www.drupal.org/project/drupal/releases/9.0.9>)\n * If you are using Drupal 8.9, update to [Drupal 8.9.10](<https://www.drupal.org/project/drupal/releases/8.9.10>)\n * If you are using Drupal 8.8 or earlier, update to [Drupal 8.8.12](<https://www.drupal.org/project/drupal/releases/8.8.12>)\n * If you are using Drupal 7, update to [Drupal 7.75](<https://www.drupal.org/project/drupal/releases/7.75>)\n\nVersions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage.\n\nAccording to the regular [security release window schedule](<https://www.drupal.org/node/1173280>), November 25th would not typically be a core security window. However, this release is necessary because there are known exploits for one of core's dependencies and some configurations of Drupal are vulnerable.\n\nReported By: \n\n * [Luke Stewart](<https://www.drupal.org/user/3564081>)\n\nFixed By: \n\n * [Jess ](<https://www.drupal.org/user/65776>) of the Drupal Security Team\n * [Drew Webber](<https://www.drupal.org/user/255969>) of the Drupal Security Team\n * [Michael Hess](<https://www.drupal.org/user/102818>) of the Drupal Security Team\n * [Neil Drumm](<https://www.drupal.org/user/3064>) of the Drupal Security Team\n * [Lee Rowlands](<https://www.drupal.org/user/395439>) of the Drupal Security Team\n", "published": "2020-11-25T00:00:00", "modified": "2020-11-25T00:00:00", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "href": "https://www.drupal.org/sa-core-2020-013", "reporter": "Drupal Security Team", "references": ["https://www.drupal.org/user/102818", "https://www.drupal.org/node/1173280", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28949", "https://www.drupal.org/project/drupal/releases/8.8.12", "https://www.drupal.org/user/395439", "https://www.drupal.org/user/65776", "https://www.drupal.org/project/drupal/releases/8.9.10", "https://www.drupal.org/project/drupal/releases/9.0.9", "https://www.drupal.org/sa-core-2019-012", "https://www.drupal.org/user/3064", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28948", "https://www.drupal.org/project/drupal/releases/7.75", "https://www.drupal.org/user/255969", "https://www.drupal.org/user/3564081"], "cvelist": ["CVE-2020-28948", "CVE-2020-28949"], "lastseen": "2020-12-04T21:42:47", "viewCount": 20, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:BE278831-3863-408B-A0DF-F5BA31743619", "AKB:E0A0701E-20C0-4622-AA27-40F9B66C0263"]}, {"type": "cve", "idList": ["CVE-2020-28948", "CVE-2020-28949"]}, {"type": "nessus", "idList": ["FEDORA_2020-F351EB14E3.NASL", "DEBIAN_DSA-4817.NASL", "AL2_ALAS-2021-1584.NASL", "FEDORA_2020-6F1079934C.NASL", "DRUPAL_9_0_9.NASL", "FEDORA_2020-D50D74D6F2.NASL", "FEDORA_2020-5271A896FF.NASL", "DEBIAN_DLA-2466.NASL", "UBUNTU_USN-4654-1.NASL"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2465-1:399F1", "DEBIAN:DSA-4817-1:29D39", "DEBIAN:DLA-2466-1:EB8EC"]}, {"type": "ubuntu", "idList": ["USN-4654-1"]}, {"type": "amazon", "idList": ["ALAS2-2021-1584", "ALAS-2021-1466"]}, {"type": "fedora", "idList": ["FEDORA:22650309BA59", "FEDORA:CB14530BF574", "FEDORA:C13D4309CBA7", "FEDORA:82CB630AAF1A"]}, {"type": "drupal", "idList": ["DRUPAL-SA-CORE-2019-012"]}], "modified": "2020-12-04T21:42:47", "rev": 2}, "score": {"value": 5.4, "vector": "NONE", "modified": "2020-12-04T21:42:47", "rev": 2}, "vulnersScore": 5.4}, "affectedSoftware": []}
{"attackerkb": [{"lastseen": "2021-01-15T21:11:19", "bulletinFamily": "info", "cvelist": ["CVE-2020-28948", "CVE-2020-28949"], "description": "Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at January 15, 2021 8:42pm UTC reported:\n\nOriginal advisory and PoC can be found at <https://github.com/pear/Archive_Tar/issues/33>\n\nThis vulnerability is very similar to [CVE-2020-28948](<https://attackerkb.com/topics/jwBHsAjcuV/cve-2020-28948>), with a couple of key differences. In the case of CVE-2020-28948, the root issue was that the code within Archive_Tar didn\u2019t use case sensitive checks to ensure file names didn\u2019t start with `phar://`. Here the issue is the same however it stems from a lack of checks. More specifically as mentioned in [my writeup on CVE-2020-28948](<https://attackerkb.com/assessments/12dc6840-6897-467c-9bf2-db40c8dfa12f>), Archive_Tar prior to 1.4.11 checked, using `strpos()`, that filenames within a TAR archive did not start with the characters `phar://` and did not contain the characters `../` or `..\\`.\n\nNotice however that there is a problem here: we can still use any other file stream wrapper other than the `phar://` file handler within a file name to trigger the corresponding wrapper handler. A full list of PHP file stream wrappers can be found at <https://www.php.net/manual/en/wrappers.php>.\n\nLooking at these stream wrappers reveals there are a few that might help with file writes. In fact, as shown in the PoC at <https://github.com/pear/Archive_Tar/issues/33>, if one creates a file within a TAR archive with a name such as `file:///etc/passwd`, then when the TAR archive is extracted, the corresponding file, which in this case would be `/etc/passwd`, will be overwritten with attacker controlled contents, assuming the user that PHP is running as has permissions to create or overwrite that file.\n\nThis leads to an arbitrary file upload vulnerability whereby an attacker could potentially overwrite existing files with arbitrary content. The attacker would however need to know the exact path on disk to the file that they wished to write: remember that `..\\` and `../` are not allowed in filenames and even if they were, the `file://` stream wrapper requires the use of absolute paths.\n\nAgain as noted in [my writeup on CVE-2020-28948](<https://attackerkb.com/assessments/12dc6840-6897-467c-9bf2-db40c8dfa12f>), this bug entirely depends on the fact that a vulnerable application makes use of this library and also extracts the contents of the TAR file as part of its operations. If the application only allows TAR file uploads but it doesn\u2019t actually try to extract the contents of the TAR file as part of its operations, then this vulnerability will never be triggered.\n\nThat being said assuming an attacker does know the right path and the application is set up in to extract TAR files, then this can easily lead to RCE via overwriting existing PHP files on the target system.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4\n", "modified": "2020-12-03T00:00:00", "published": "2020-11-19T00:00:00", "id": "AKB:BE278831-3863-408B-A0DF-F5BA31743619", "href": "https://attackerkb.com/topics/gLmKfmD9Dl/cve-2020-28949", "type": "attackerkb", "title": "CVE-2020-28949", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-15T21:12:56", "bulletinFamily": "info", "cvelist": ["CVE-2020-28948"], "description": "Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at January 15, 2021 7:39pm UTC reported:\n\nEdit: PoC code for this can be found at <https://github.com/pear/Archive_Tar/issues/33> along with the original advisory.\n\nAn interesting vulnerability using the concepts of PHAR file deserialization as first discussed at BlackHat in this video: <https://www.youtube.com/watch?v=OrEar0TiS90>. For those who don\u2019t know, the `phar://` file stream handler allows opening PHAR files, which are basically PHP archive files containing a bunch of related files (mostly tends to be PHP files within the archive, but can be other things as well). Whats interesting about PHAR files is that their metadata is formed via a `serialize()` call when their created, and when files are extracted, `unserialize()` will automatically be called on that metadata string. This leads to the potential for serialization attacks even when the application doesn\u2019t explicitly use `unserialize()` calls.\n\nIn this case, the Archive_Tar developers were aware of this prior research and attempted to explicitly block `phar://`, `../`, and `..\\` within any file name contained with the `tar` archive by performing a `strpos` call using these strings and erroring out if the string contained these characters. Unfortunately that check is really poor for a number of reasons.\n\nThe specific reason related to this CVE, aka CVE-2020-28948, is that users can simply use `PHAR://` to bypass this check. In other words, the check performed by `strpos()` is not case sensitive, so one can easily bypass it by simply changing the case of the string. They could also mix the case, so an example like `pHaR://` might also work.\n\nThis then allows attackers to perform attacks where they can load a local PHAR file on the target system and use a deserialization attack to perform some malicious action. Assuming an app is already extracting the contents of the TAR files locally, an attacker would simply have to upload a TAR file containing a malicious PHAR file and have the app extract and save the PHAR file locally, after which they could upload a second TAR file containing a file named `PHAR://*malicious PHAR file location*` and the PHP app would attempt to access and extract the local PHAR file, thereby triggering the vulnerability.\n\nNotice that the `PHAR://` file handler does not allow for accessing remote files, which is why this procedure is required.\n\nResearch into deserialization gadgets for this exploit showed that most of the potential possibilities seem mostly restricted to file operations. The PoC showed that it would be possible to delete a file using this vulnerability but I was not able to determine any other useful actions that could be performed. Potential impact would depend both on the privileges of the user running PHP as well as what operations the app was doing; again remember the program will only be able to do file operations so most likely an attacker would have to package a malicious PHP file within the PHAR archive, have that be extracted somehow along with the malicious PHAR file, and then also have a file within the TAR archive that has a filename of `PHAR://*path to malicious PHAR archive that was uploaded*` to form a full end to end payload and get RCE.\n\nOverall I\u2019d say this is an interesting bug but its exploitability is somewhat limited and depends highly on the underlying application it is used within.\n\nAssessed Attacker Value: 3 \nAssessed Attacker Value: 4\n", "modified": "2020-12-03T00:00:00", "published": "2020-11-19T00:00:00", "id": "AKB:E0A0701E-20C0-4622-AA27-40F9B66C0263", "href": "https://attackerkb.com/topics/jwBHsAjcuV/cve-2020-28948", "type": "attackerkb", "title": "CVE-2020-28948", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2020-12-24T13:57:56", "description": "Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed.", "edition": 8, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-11-19T19:15:00", "title": "CVE-2020-28949", "type": "cve", "cwe": ["CWE-74"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28949"], "modified": "2020-12-23T18:22:00", "cpe": ["cpe:/o:debian:debian_linux:10.0", "cpe:/o:fedoraproject:fedora:32", "cpe:/o:fedoraproject:fedora:33", "cpe:/a:php:archive_tar:1.4.10", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2020-28949", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-28949", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "cpe:2.3:a:php:archive_tar:1.4.10:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-24T13:57:56", "description": "Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked.", "edition": 8, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-11-19T19:15:00", "title": "CVE-2020-28948", "type": "cve", "cwe": ["CWE-502"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28948"], "modified": "2020-12-23T18:22:00", "cpe": ["cpe:/o:debian:debian_linux:10.0", "cpe:/o:fedoraproject:fedora:32", "cpe:/o:fedoraproject:fedora:33", "cpe:/a:php:archive_tar:1.4.10", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2020-28948", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-28948", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "cpe:2.3:a:php:archive_tar:1.4.10:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*"]}], "fedora": [{"lastseen": "2020-12-21T08:17:56", "bulletinFamily": "unix", "cvelist": ["CVE-2020-28948", "CVE-2020-28949"], "description": "PEAR is a framework and distribution system for reusable PHP components. This package contains the basic PEAR components. ", "modified": "2020-12-02T10:40:12", "published": "2020-12-02T10:40:12", "id": "FEDORA:CB14530BF574", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 33 Update: php-pear-1.10.12-4.fc33", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:56", "bulletinFamily": "unix", "cvelist": ["CVE-2020-28948", "CVE-2020-28949"], "description": "PEAR is a framework and distribution system for reusable PHP components. This package contains the basic PEAR components. ", "modified": "2020-12-02T10:40:00", "published": "2020-12-02T10:40:00", "id": "FEDORA:82CB630AAF1A", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 32 Update: php-pear-1.10.12-4.fc32", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:56", "bulletinFamily": "unix", "cvelist": ["CVE-2020-13666", "CVE-2020-13667", "CVE-2020-13668", "CVE-2020-13669", "CVE-2020-13670", "CVE-2020-13671", "CVE-2020-28948", "CVE-2020-28949"], "description": "Drupal is an open source content management platform powering millions of websites and applications. It=EF=BF=BD=EF=BF=BD=EF=BF=BDs built, used, and supported by an active and diverse community of people around the world. ", "modified": "2020-12-15T01:22:18", "published": "2020-12-15T01:22:18", "id": "FEDORA:C13D4309CBA7", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 33 Update: drupal8-8.9.11-1.fc33", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:56", "bulletinFamily": "unix", "cvelist": ["CVE-2020-13666", "CVE-2020-13667", "CVE-2020-13668", "CVE-2020-13669", "CVE-2020-13670", "CVE-2020-13671", "CVE-2020-28948", "CVE-2020-28949"], "description": "Drupal is an open source content management platform powering millions of websites and applications. It=EF=BF=BD=EF=BF=BD=EF=BF=BDs built, used, and supported by an active and diverse community of people around the world. ", "modified": "2020-12-15T01:41:04", "published": "2020-12-15T01:41:04", "id": "FEDORA:22650309BA59", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 32 Update: drupal8-8.9.11-1.fc32", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "amazon": [{"lastseen": "2021-01-08T01:44:37", "bulletinFamily": "unix", "cvelist": ["CVE-2020-28949", "CVE-2020-28948"], "description": "**Issue Overview:**\n\nArchive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked. ([CVE-2020-28948 __](<https://access.redhat.com/security/cve/CVE-2020-28948>))\n\nArchive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed. ([CVE-2020-28949 __](<https://access.redhat.com/security/cve/CVE-2020-28949>))\n\n \n**Affected Packages:** \n\n\nphp-pear\n\n \n**Issue Correction:** \nRun _yum update php-pear_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n noarch: \n php-pear-1.10.12-4.amzn2.0.1.noarch \n \n src: \n php-pear-1.10.12-4.amzn2.0.1.src \n \n \n", "edition": 1, "modified": "2021-01-05T23:34:00", "published": "2021-01-05T23:34:00", "id": "ALAS2-2021-1584", "href": "https://alas.aws.amazon.com/AL2/ALAS-2021-1584.html", "title": "Medium: php-pear", "type": "amazon", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-15T01:26:55", "bulletinFamily": "unix", "cvelist": ["CVE-2020-28949", "CVE-2020-28948"], "description": "**Issue Overview:**\n\nArchive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked. ([CVE-2020-28948 __](<https://access.redhat.com/security/cve/CVE-2020-28948>))\n\nArchive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed. ([CVE-2020-28949 __](<https://access.redhat.com/security/cve/CVE-2020-28949>))\n\n \n**Affected Packages:** \n\n\nphp7-pear\n\n \n**Issue Correction:** \nRun _yum update php7-pear_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n noarch: \n php7-pear-1.10.12-4.30.amzn1.noarch \n \n src: \n php7-pear-1.10.12-4.30.amzn1.src \n \n \n", "edition": 1, "modified": "2021-01-12T22:51:00", "published": "2021-01-12T22:51:00", "id": "ALAS-2021-1466", "href": "https://alas.aws.amazon.com/ALAS-2021-1466.html", "title": "Medium: php7-pear", "type": "amazon", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2021-01-08T17:17:07", "description": "The version of tested product installed on the remote host is prior to tested version. It is, therefore, affected by\nmultiple vulnerabilities as referenced in the ALAS2-2021-1584 advisory.\n\n - Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not\n blocked. (CVE-2020-28948)\n\n - Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other\n stream-wrapper attack (such as file:// to overwrite files) can still succeed. (CVE-2020-28949)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.", "edition": 1, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2021-01-07T00:00:00", "title": "Amazon Linux 2 : php-pear (ALAS-2021-1584)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-28949", "CVE-2020-28948"], "modified": "2021-01-07T00:00:00", "cpe": ["cpe:/o:amazon:linux:2", "p-cpe:/a:amazon:linux:php-pear"], "id": "AL2_ALAS-2021-1584.NASL", "href": "https://www.tenable.com/plugins/nessus/144803", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n# \n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux 2 Security Advisory ALAS-2021-1584.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(144803);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/07\");\n\n script_cve_id(\"CVE-2020-28948\", \"CVE-2020-28949\");\n script_xref(name:\"ALAS\", value:\"2021-1584\");\n\n script_name(english:\"Amazon Linux 2 : php-pear (ALAS-2021-1584)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Amazon Linux 2 host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of tested product installed on the remote host is prior to tested version. It is, therefore, affected by\nmultiple vulnerabilities as referenced in the ALAS2-2021-1584 advisory.\n\n - Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not\n blocked. (CVE-2020-28948)\n\n - Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other\n stream-wrapper attack (such as file:// to overwrite files) can still succeed. (CVE-2020-28949)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/AL2/ALAS-2021-1584.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-28948\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-28949\");\n script_set_attribute(attribute:\"solution\", value:\n\"Run 'yum update php-pear' to update your system.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-28949\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/11/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/01/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-pear\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux:2\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"2\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux 2\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\npkgs = [\n {'reference':'php-pear-1.10.12-4.amzn2.0.1', 'release':'AL2'}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n allowmaj = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n if (rpm_check(release:release, cpu:cpu, reference:reference, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"php-pear\");\n}", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-05T09:56:00", "description": "According to its self-reported version, the instance of Drupal running on the remote web server is 7.x prior to 7.75,\n8.x prior to 8.8.12, 8.9.x prior to 8.9.10, or 9.0.x prior to 9.0.9. It is, therefore, affected by multiple\nvulnerabilities:\n\n - Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not\n blocked. (CVE-2020-28948)\n\n - Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other\n stream-wrapper attack (such as file:// to overwrite files) can still succeed. (CVE-2020-28949)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.", "edition": 4, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2020-11-27T00:00:00", "title": "Drupal 7.x < 7.75 / 8.x < 8.8.12 / 8.9.x < 8.9.10 / 9.0.x < 9.0.9 Multiple Vulnerabilities (SA-CORE-2020-013)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-28949", "CVE-2020-28948"], "modified": "2020-11-27T00:00:00", "cpe": ["cpe:/a:drupal:drupal"], "id": "DRUPAL_9_0_9.NASL", "href": "https://www.tenable.com/plugins/nessus/143274", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(143274);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/12/04\");\n\n script_cve_id(\"CVE-2020-28948\", \"CVE-2020-28949\");\n script_xref(name:\"IAVA\", value:\"2020-A-0545\");\n\n script_name(english:\"Drupal 7.x < 7.75 / 8.x < 8.8.12 / 8.9.x < 8.9.10 / 9.0.x < 9.0.9 Multiple Vulnerabilities (SA-CORE-2020-013)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A PHP application running on the remote web server is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the instance of Drupal running on the remote web server is 7.x prior to 7.75,\n8.x prior to 8.8.12, 8.9.x prior to 8.9.10, or 9.0.x prior to 9.0.9. It is, therefore, affected by multiple\nvulnerabilities:\n\n - Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not\n blocked. (CVE-2020-28948)\n\n - Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other\n stream-wrapper attack (such as file:// to overwrite files) can still succeed. (CVE-2020-28949)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.drupal.org/sa-core-2020-013\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.drupal.org/node/1173280\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.drupal.org/project/drupal/releases/7.75\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.drupal.org/project/drupal/releases/8.8.12\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.drupal.org/project/drupal/releases/8.9.10\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.drupal.org/project/drupal/releases/9.0.9\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Drupal version 7.75 / 8.8.12 / 8.9.10 / 9.0.9 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-28949\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/11/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/11/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/11/27\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:drupal:drupal\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"drupal_detect.nasl\");\n script_require_keys(\"installed_sw/Drupal\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 80, 443);\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('http.inc');\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nport = get_http_port(default:80, php:TRUE);\n\napp_info = vcf::get_app_info(app:'Drupal', port:port, webapp:TRUE);\n\nvcf::check_granularity(app_info:app_info, sig_segments:2);\n\nconstraints = [\n { 'min_version' : '7.0', 'fixed_version' : '7.75' },\n { 'min_version' : '8.0', 'fixed_version' : '8.8.12' },\n { 'min_version' : '8.9', 'fixed_version' : '8.9.10' },\n { 'min_version' : '9.0', 'fixed_version' : '9.0.9' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-04T15:38:44", "description": "The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 20.10 host has a package installed that is affected by multiple\nvulnerabilities as referenced in the USN-4654-1 advisory.\n\n - Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not\n blocked. (CVE-2020-28948)\n\n - Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other\n stream-wrapper attack (such as file:// to overwrite files) can still succeed. (CVE-2020-28949)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.", "edition": 2, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2020-12-02T00:00:00", "title": "Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 20.10 : PEAR vulnerabilities (USN-4654-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-28949", "CVE-2020-28948"], "modified": "2020-12-02T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:16.04:-:lts", "cpe:/o:canonical:ubuntu_linux:18.04:-:lts", "cpe:/o:canonical:ubuntu_linux:20.04:-:lts", "cpe:/o:canonical:ubuntu_linux:20.10", "p-cpe:/a:canonical:ubuntu_linux:php-pear"], "id": "UBUNTU_USN-4654-1.NASL", "href": "https://www.tenable.com/plugins/nessus/143428", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-4654-1. The text\n# itself is copyright (C) Canonical, Inc. See\n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(143428);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/12/03\");\n\n script_cve_id(\"CVE-2020-28948\", \"CVE-2020-28949\");\n script_xref(name:\"USN\", value:\"4654-1\");\n\n script_name(english:\"Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 20.10 : PEAR vulnerabilities (USN-4654-1)\");\n script_summary(english:\"Checks the dpkg output for the updated package\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 20.10 host has a package installed that is affected by multiple\nvulnerabilities as referenced in the USN-4654-1 advisory.\n\n - Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not\n blocked. (CVE-2020-28948)\n\n - Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other\n stream-wrapper attack (such as file:// to overwrite files) can still succeed. (CVE-2020-28949)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-4654-1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected php-pear package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-28949\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/11/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/12/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/12/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:20.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:20.10\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:php-pear\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2020 Canonical, Inc. / NASL script (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('ubuntu.inc');\ninclude('misc_func.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/Ubuntu/release');\nif ( isnull(release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nrelease = chomp(release);\nif (! preg(pattern:\"^(16\\.04|18\\.04|20\\.04|20\\.10)$\", string:release)) audit(AUDIT_OS_NOT, 'Ubuntu 16.04 / 18.04 / 20.04 / 20.10', 'Ubuntu ' + release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\n\npkgs = [\n {'osver': '16.04', 'pkgname': 'php-pear', 'pkgver': '1:1.10.1+submodules+notgz-6ubuntu0.2'},\n {'osver': '18.04', 'pkgname': 'php-pear', 'pkgver': '1:1.10.5+submodules+notgz-1ubuntu1.18.04.2'},\n {'osver': '20.04', 'pkgname': 'php-pear', 'pkgver': '1:1.10.9+submodules+notgz-1ubuntu0.20.04.1'},\n {'osver': '20.10', 'pkgname': 'php-pear', 'pkgver': '1:1.10.9+submodules+notgz-1ubuntu0.20.10.1'}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n osver = NULL;\n pkgname = NULL;\n pkgver = NULL;\n if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];\n if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];\n if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];\n if (osver && pkgname && pkgver) {\n if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'php-pear');\n}", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-08T02:27:20", "description": " - Fix Bug #27002: Filename manipulation vulnerabilities\n (CVE-2020-28948 / CVE-2020-28949) [mrook]\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 4, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2020-12-02T00:00:00", "title": "Fedora 32 : 1:php-pear (2020-5271a896ff)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-28949", "CVE-2020-28948"], "modified": "2020-12-02T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:32", "p-cpe:/a:fedoraproject:fedora:1:php-pear"], "id": "FEDORA_2020-5271A896FF.NASL", "href": "https://www.tenable.com/plugins/nessus/143436", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2020-5271a896ff.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(143436);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/12/07\");\n\n script_cve_id(\"CVE-2020-28948\", \"CVE-2020-28949\");\n script_xref(name:\"FEDORA\", value:\"2020-5271a896ff\");\n\n script_name(english:\"Fedora 32 : 1:php-pear (2020-5271a896ff)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\" - Fix Bug #27002: Filename manipulation vulnerabilities\n (CVE-2020-28948 / CVE-2020-28949) [mrook]\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2020-5271a896ff\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected 1:php-pear package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:1:php-pear\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:32\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/11/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/12/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/12/02\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^32([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 32\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC32\", reference:\"php-pear-1.10.12-4.fc32\", epoch:\"1\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"1:php-pear\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-08T01:36:38", "description": "Two vulnerabilities were found in the Archive_Tar PHP module, used by\nDrupal, which could result in the execution of arbitrary code if a\nmalicious user is allowed to upload tar archives.\n\nFor Debian 9 stretch, these problems have been fixed in version\n7.52-2+deb9u13.\n\nWe recommend that you upgrade your drupal7 packages.\n\nFor the detailed security status of drupal7 please refer to its\nsecurity tracker page at:\nhttps://security-tracker.debian.org/tracker/drupal7\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.", "edition": 5, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2020-11-30T00:00:00", "title": "Debian DLA-2466-1 : drupal7 security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-28949", "CVE-2020-28948"], "modified": "2020-11-30T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:drupal7", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DLA-2466.NASL", "href": "https://www.tenable.com/plugins/nessus/143336", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-2466-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(143336);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/12/07\");\n\n script_cve_id(\"CVE-2020-28948\", \"CVE-2020-28949\");\n script_xref(name:\"IAVA\", value:\"2020-A-0545\");\n\n script_name(english:\"Debian DLA-2466-1 : drupal7 security update\");\n script_summary(english:\"Checks dpkg output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Two vulnerabilities were found in the Archive_Tar PHP module, used by\nDrupal, which could result in the execution of arbitrary code if a\nmalicious user is allowed to upload tar archives.\n\nFor Debian 9 stretch, these problems have been fixed in version\n7.52-2+deb9u13.\n\nWe recommend that you upgrade your drupal7 packages.\n\nFor the detailed security status of drupal7 please refer to its\nsecurity tracker page at:\nhttps://security-tracker.debian.org/tracker/drupal7\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2020/11/msg00045.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/drupal7\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/drupal7\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Upgrade the affected drupal7 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:drupal7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/11/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/11/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/11/30\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"9.0\", prefix:\"drupal7\", reference:\"7.52-2+deb9u13\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-24T01:55:02", "description": "Two vulnerabilities were discovered in the PEAR Archive_Tar package\nfor handling tar files in PHP, potentially allowing a remote attacker\nto execute arbitrary code or overwrite files.", "edition": 2, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2020-12-21T00:00:00", "title": "Debian DSA-4817-1 : php-pear - security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-28949", "CVE-2020-28948"], "modified": "2020-12-21T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:php-pear", "cpe:/o:debian:debian_linux:10.0"], "id": "DEBIAN_DSA-4817.NASL", "href": "https://www.tenable.com/plugins/nessus/144483", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4817. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(144483);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/12/23\");\n\n script_cve_id(\"CVE-2020-28948\", \"CVE-2020-28949\");\n script_xref(name:\"DSA\", value:\"4817\");\n\n script_name(english:\"Debian DSA-4817-1 : php-pear - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Two vulnerabilities were discovered in the PEAR Archive_Tar package\nfor handling tar files in PHP, potentially allowing a remote attacker\nto execute arbitrary code or overwrite files.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=976108\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/php-pear\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/buster/php-pear\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2020/dsa-4817\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Upgrade the php-pear packages.\n\nFor the stable distribution (buster), these problems have been fixed\nin version 1:1.10.6+submodules+notgz-1.1+deb10u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-pear\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:10.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/11/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/12/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/12/21\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"10.0\", prefix:\"php-pear\", reference:\"1:1.10.6+submodules+notgz-1.1+deb10u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-08T02:30:59", "description": " - Fix Bug #27002: Filename manipulation vulnerabilities\n (CVE-2020-28948 / CVE-2020-28949) [mrook]\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 4, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2020-12-02T00:00:00", "title": "Fedora 33 : 1:php-pear (2020-f351eb14e3)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-28949", "CVE-2020-28948"], "modified": "2020-12-02T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:1:php-pear", "cpe:/o:fedoraproject:fedora:33"], "id": "FEDORA_2020-F351EB14E3.NASL", "href": "https://www.tenable.com/plugins/nessus/143438", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2020-f351eb14e3.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(143438);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/12/07\");\n\n script_cve_id(\"CVE-2020-28948\", \"CVE-2020-28949\");\n script_xref(name:\"FEDORA\", value:\"2020-f351eb14e3\");\n\n script_name(english:\"Fedora 33 : 1:php-pear (2020-f351eb14e3)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\" - Fix Bug #27002: Filename manipulation vulnerabilities\n (CVE-2020-28948 / CVE-2020-28949) [mrook]\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2020-f351eb14e3\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected 1:php-pear package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:1:php-pear\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:33\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/11/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/12/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/12/02\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^33([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 33\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC33\", reference:\"php-pear-1.10.12-4.fc33\", epoch:\"1\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"1:php-pear\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-31T10:41:03", "description": "- https://www.drupal.org/project/drupal/releases/8.9.11\n\n- https://www.drupal.org/project/drupal/releases/8.9.10\n\n - https://www.drupal.org/sa-core-2020-013\n (CVE-2020-28948 / CVE-2020-28949)\n\n- https://www.drupal.org/project/drupal/releases/8.9.9\n\n - https://www.drupal.org/sa-core-2020-012\n (CVE-2020-13671)\n\n- https://www.drupal.org/project/drupal/releases/8.9.8\n\n- https://www.drupal.org/project/drupal/releases/8.9.7\n\n- https://www.drupal.org/project/drupal/releases/8.9.6\n\n - https://www.drupal.org/sa-core-2020-011\n (CVE-2020-13670)\n\n - https://www.drupal.org/sa-core-2020-010\n (CVE-2020-13669)\n\n - https://www.drupal.org/sa-core-2020-009\n (CVE-2020-13668)\n\n - https://www.drupal.org/sa-core-2020-008\n (CVE-2020-13667)\n\n - https://www.drupal.org/sa-core-2020-007\n (CVE-2020-13666)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 3, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2020-12-15T00:00:00", "title": "Fedora 33 : drupal8 (2020-6f1079934c)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-13668", "CVE-2020-13667", "CVE-2020-13669", "CVE-2020-13670", "CVE-2020-28949", "CVE-2020-13666", "CVE-2020-13671", "CVE-2020-28948"], "modified": "2020-12-15T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:drupal8", "cpe:/o:fedoraproject:fedora:33"], "id": "FEDORA_2020-6F1079934C.NASL", "href": "https://www.tenable.com/plugins/nessus/144225", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2020-6f1079934c.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(144225);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/12/30\");\n\n script_cve_id(\"CVE-2020-13666\", \"CVE-2020-13667\", \"CVE-2020-13668\", \"CVE-2020-13669\", \"CVE-2020-13670\", \"CVE-2020-13671\", \"CVE-2020-28948\", \"CVE-2020-28949\");\n script_xref(name:\"FEDORA\", value:\"2020-6f1079934c\");\n script_xref(name:\"IAVA\", value:\"2020-A-0545\");\n\n script_name(english:\"Fedora 33 : drupal8 (2020-6f1079934c)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"- https://www.drupal.org/project/drupal/releases/8.9.11\n\n- https://www.drupal.org/project/drupal/releases/8.9.10\n\n - https://www.drupal.org/sa-core-2020-013\n (CVE-2020-28948 / CVE-2020-28949)\n\n- https://www.drupal.org/project/drupal/releases/8.9.9\n\n - https://www.drupal.org/sa-core-2020-012\n (CVE-2020-13671)\n\n- https://www.drupal.org/project/drupal/releases/8.9.8\n\n- https://www.drupal.org/project/drupal/releases/8.9.7\n\n- https://www.drupal.org/project/drupal/releases/8.9.6\n\n - https://www.drupal.org/sa-core-2020-011\n (CVE-2020-13670)\n\n - https://www.drupal.org/sa-core-2020-010\n (CVE-2020-13669)\n\n - https://www.drupal.org/sa-core-2020-009\n (CVE-2020-13668)\n\n - https://www.drupal.org/sa-core-2020-008\n (CVE-2020-13667)\n\n - https://www.drupal.org/sa-core-2020-007\n (CVE-2020-13666)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2020-6f1079934c\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.drupal.org/sa-core-2020-007\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.drupal.org/sa-core-2020-008\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.drupal.org/sa-core-2020-009\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.drupal.org/sa-core-2020-010\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.drupal.org/sa-core-2020-011\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.drupal.org/sa-core-2020-012\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.drupal.org/sa-core-2020-013\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected drupal8 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-28949\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:drupal8\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:33\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/11/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/12/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/12/15\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^33([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 33\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC33\", reference:\"drupal8-8.9.11-1.fc33\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"drupal8\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-31T10:43:48", "description": "- https://www.drupal.org/project/drupal/releases/8.9.11\n\n- https://www.drupal.org/project/drupal/releases/8.9.10\n\n - https://www.drupal.org/sa-core-2020-013\n (CVE-2020-28948 / CVE-2020-28949)\n\n- https://www.drupal.org/project/drupal/releases/8.9.9\n\n - https://www.drupal.org/sa-core-2020-012\n (CVE-2020-13671)\n\n- https://www.drupal.org/project/drupal/releases/8.9.8\n\n- https://www.drupal.org/project/drupal/releases/8.9.7\n\n- https://www.drupal.org/project/drupal/releases/8.9.6\n\n - https://www.drupal.org/sa-core-2020-011\n (CVE-2020-13670)\n\n - https://www.drupal.org/sa-core-2020-010\n (CVE-2020-13669)\n\n - https://www.drupal.org/sa-core-2020-009\n (CVE-2020-13668)\n\n - https://www.drupal.org/sa-core-2020-008\n (CVE-2020-13667)\n\n - https://www.drupal.org/sa-core-2020-007\n (CVE-2020-13666)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 3, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2020-12-15T00:00:00", "title": "Fedora 32 : drupal8 (2020-d50d74d6f2)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-13668", "CVE-2020-13667", "CVE-2020-13669", "CVE-2020-13670", "CVE-2020-28949", "CVE-2020-13666", "CVE-2020-13671", "CVE-2020-28948"], "modified": "2020-12-15T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:drupal8", "cpe:/o:fedoraproject:fedora:32"], "id": "FEDORA_2020-D50D74D6F2.NASL", "href": "https://www.tenable.com/plugins/nessus/144247", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2020-d50d74d6f2.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(144247);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/12/30\");\n\n script_cve_id(\"CVE-2020-13666\", \"CVE-2020-13667\", \"CVE-2020-13668\", \"CVE-2020-13669\", \"CVE-2020-13670\", \"CVE-2020-13671\", \"CVE-2020-28948\", \"CVE-2020-28949\");\n script_xref(name:\"FEDORA\", value:\"2020-d50d74d6f2\");\n script_xref(name:\"IAVA\", value:\"2020-A-0545\");\n\n script_name(english:\"Fedora 32 : drupal8 (2020-d50d74d6f2)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"- https://www.drupal.org/project/drupal/releases/8.9.11\n\n- https://www.drupal.org/project/drupal/releases/8.9.10\n\n - https://www.drupal.org/sa-core-2020-013\n (CVE-2020-28948 / CVE-2020-28949)\n\n- https://www.drupal.org/project/drupal/releases/8.9.9\n\n - https://www.drupal.org/sa-core-2020-012\n (CVE-2020-13671)\n\n- https://www.drupal.org/project/drupal/releases/8.9.8\n\n- https://www.drupal.org/project/drupal/releases/8.9.7\n\n- https://www.drupal.org/project/drupal/releases/8.9.6\n\n - https://www.drupal.org/sa-core-2020-011\n (CVE-2020-13670)\n\n - https://www.drupal.org/sa-core-2020-010\n (CVE-2020-13669)\n\n - https://www.drupal.org/sa-core-2020-009\n (CVE-2020-13668)\n\n - https://www.drupal.org/sa-core-2020-008\n (CVE-2020-13667)\n\n - https://www.drupal.org/sa-core-2020-007\n (CVE-2020-13666)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2020-d50d74d6f2\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.drupal.org/sa-core-2020-007\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.drupal.org/sa-core-2020-008\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.drupal.org/sa-core-2020-009\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.drupal.org/sa-core-2020-010\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.drupal.org/sa-core-2020-011\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.drupal.org/sa-core-2020-012\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.drupal.org/sa-core-2020-013\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected drupal8 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-28949\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:drupal8\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:32\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/11/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/12/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/12/15\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^32([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 32\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC32\", reference:\"drupal8-8.9.11-1.fc32\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"drupal8\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "ubuntu": [{"lastseen": "2020-12-03T13:11:01", "bulletinFamily": "unix", "cvelist": ["CVE-2020-28949", "CVE-2020-28948"], "description": "It was discovered that PEAR incorrectly sanitized filenames. A remote \nattacker could possibly use this issue to execute arbitrary code.", "edition": 2, "modified": "2020-12-01T00:00:00", "published": "2020-12-01T00:00:00", "id": "USN-4654-1", "href": "https://ubuntu.com/security/notices/USN-4654-1", "title": "PEAR vulnerabilities", "type": "ubuntu", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "debian": [{"lastseen": "2020-12-20T01:24:51", "bulletinFamily": "unix", "cvelist": ["CVE-2020-28949", "CVE-2020-28948"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4817-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nDecember 19, 2020 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : php-pear\nCVE ID : CVE-2020-28948 CVE-2020-28949\nDebian Bug : 976108\n\nTwo vulnerabilities were discovered in the PEAR Archive_Tar package for\nhandling tar files in PHP, potentially allowing a remote attacker to\nexecute arbitrary code or overwrite files.\n\nFor the stable distribution (buster), these problems have been fixed in\nversion 1:1.10.6+submodules+notgz-1.1+deb10u1.\n\nWe recommend that you upgrade your php-pear packages.\n\nFor the detailed security status of php-pear please refer to its\nsecurity tracker page at:\nhttps://security-tracker.debian.org/tracker/php-pear\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 1, "modified": "2020-12-19T10:00:03", "published": "2020-12-19T10:00:03", "id": "DEBIAN:DSA-4817-1:29D39", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2020/msg00225.html", "title": "[SECURITY] [DSA 4817-1] php-pear security update", "type": "debian", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-03T13:12:21", "bulletinFamily": "unix", "cvelist": ["CVE-2020-28949", "CVE-2020-28948"], "description": "- -------------------------------------------------------------------------\nDebian LTS Advisory DLA-2465-1 debian-lts@lists.debian.org\nhttps://www.debian.org/lts/security/ Chris Lamb\nNovember 23, 2020 https://wiki.debian.org/LTS\n- -------------------------------------------------------------------------\n\nPackage : php-pear\nVersion : 1:1.10.1+submodules+notgz-9+deb9u2\nCVE IDs : CVE-2020-28948 CVE-2020-28949\n\nIt was discovered that there was a filename sanitisation issue in\nphp-pear, a distribution system for reusable PHP components.\n\nFor Debian 9 "Stretch", this problem has been fixed in version\n1:1.10.1+submodules+notgz-9+deb9u2.\n\nWe recommend that you upgrade your php-pear packages.\n\nFor the detailed security status of php-pear please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/php-pear\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 2, "modified": "2020-11-23T11:16:10", "published": "2020-11-23T11:16:10", "id": "DEBIAN:DLA-2465-1:399F1", "href": "https://lists.debian.org/debian-lts-announce/2020/debian-lts-announce-202011/msg00043.html", "title": "[SECURITY] [DLA 2465-1] php-pear security update", "type": "debian", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-03T13:26:55", "bulletinFamily": "unix", "cvelist": ["CVE-2020-28949", "CVE-2020-28948"], "description": "- -------------------------------------------------------------------------\nDebian LTS Advisory DLA-2466-1 debian-lts@lists.debian.org\nhttps://www.debian.org/lts/security/ Emilio Pozuelo Monfort\nNovember 27, 2020 https://wiki.debian.org/LTS\n- -------------------------------------------------------------------------\n\nPackage : drupal7\nVersion : 7.52-2+deb9u13\nCVE ID : CVE-2020-28948 CVE-2020-28949\n\nTwo vulnerabilities were found in the Archive_Tar PHP module, used by\nDrupal, which could result in the execution of arbitrary code if a\nmalicious user is allowed to upload tar archives.\n\nFor Debian 9 stretch, these problems have been fixed in version\n7.52-2+deb9u13.\n\nWe recommend that you upgrade your drupal7 packages.\n\nFor the detailed security status of drupal7 please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/drupal7\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 2, "modified": "2020-11-27T09:58:35", "published": "2020-11-27T09:58:35", "id": "DEBIAN:DLA-2466-1:EB8EC", "href": "https://lists.debian.org/debian-lts-announce/2020/debian-lts-announce-202011/msg00045.html", "title": "[SECURITY] [DLA 2466-1] drupal7 security update", "type": "debian", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}]}
