4 matches found
CVE-2020-36193
CVE-2020-36193 affects PHP’s PEAR Archive_Tar (Archive_Tar) up to version 1.4.11. The root cause is inadequate checking of symbolic links, enabling directory traversal for write operations inside an archive. This is a related issue to CVE-2020-28948. Mitigation: upgrade Archive_Tar to 1.4.14 or l...
CVE-2020-28949
CVE-2020-28949 affects PEAR Archive_Tar (v1.4.10 and earlier). The issue is that Archive_Tar’s filename sanitization only addressed phar attacks; other stream-wrapper attacks (e.g., file://) can overwrite files, enabling potential arbitrary file writes. Affected ecosystem includes PHP-pear compon...
CVE-2021-32610
Archive_Tar (PHP PEAR) exposes CVE-2021-32610: in versions before 1.4.14, symlinks can point outside the extracted archive, enabling potential path traversal. This is described as a separate issue from CVE-2020-36193. The available connected documents identify affected component (Archive_Tar) and...
CVE-2020-28948
CVE-2020-28948 affects Archive_Tar (PHP PEAR) up to version 1.4.10/1.4.11, where an unserialization flaw occurs because phar: is blocked but PHAR: is not blocked. This can enable write operations via directory traversal when processing crafted archives (documented as a related vulnerability to CV...