Lucene search

GitHub Advisory DatabaseGHSA-JH5X-HFHG-78JQ

HistoryApr 22, 2021 - 4:20 p.m.

Deserialization of Untrusted Data in Archive_Tar

2021-04-2216:20:50

CWE-502

GitHub Advisory Database

github.com

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.068 Low

EPSS

Percentile

93.8%

JSON

Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked. See: https://github.com/pear/Archive_Tar/issues/33

CPENameOperatorVersion
pear/archive_tarlt1.4.11

CPE	Name	Operator	Version
	pear/archive_tar	lt	1.4.11

References

github.com/advisories/GHSA-jh5x-hfhg-78jq

github.com/pear/Archive_Tar/commit/0670a05fdab997036a3fc3ef113b8f5922e574da

github.com/pear/Archive_Tar/issues/33

lists.debian.org/debian-lts-announce/2020/11/msg00045.html

lists.fedoraproject.org/archives/list/[email protected]/message/42GPGVVFTLJYAKRI75IVB5R45NYQGEUR/

lists.fedoraproject.org/archives/list/[email protected]/message/4V35LBRM6HBCXBVCITKQ4UEBTXO2EG7B/

lists.fedoraproject.org/archives/list/[email protected]/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437/

lists.fedoraproject.org/archives/list/[email protected]/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT/

lists.fedoraproject.org/archives/list/[email protected]/message/NBYZSHYTIOBK6V7C4N7TP6KIKCRKLVWP/

lists.fedoraproject.org/archives/list/[email protected]/message/VJQQYDAOWHD6RDITDRPHFW7WY6BS3V5N/

nvd.nist.gov/vuln/detail/CVE-2020-28948

security.gentoo.org/glsa/202101-23

www.debian.org/security/2020/dsa-4817

www.drupal.org/sa-core-2020-013

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.068 Low

EPSS

Percentile

93.8%

JSON

Deserialization of Untrusted Data in Archive_Tar

References

Related