PEAR/Archive_Tar is vulnerable to arbitrary file deletion. The vulnerability exists when extracting a file with phar://
prefix, allowing unsafe unserialization of gadgets to cause arbitrary file deletion.
CPE | Name | Operator | Version |
---|---|---|---|
pear/archive_tar | le | 1.4.3 |
blog.ripstech.com/2018/new-php-exploitation-technique/
cdn2.hubspot.net/hubfs/3853213/us-18-Thomas-It%27s-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-....pdf
lists.debian.org/debian-lts-announce/2019/02/msg00020.html
pear.php.net/bugs/bug.php?id=23782
pear.php.net/package/Archive_Tar/download/
security.gentoo.org/glsa/202006-14
usn.ubuntu.com/3857-1/
www.debian.org/security/2019/dsa-4378
www.exploit-db.com/exploits/46108/