CVE-2020-28949
Summary
| CVE | CVE-2020-28949 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2020-11-19 19:15:00 UTC |
| Updated | 2023-11-07 03:21:00 UTC |
| Description | Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed. |
Risk And Classification
EPSS: 0.929610000 probability, percentile 0.997760000 (date 2026-04-01)
CISA KEV: Listed on 2022-08-25; due 2022-09-15; ransomware use Unknown
Problem Types: CWE-74
CISA Known Exploited Vulnerability
| Vendor | PEAR |
|---|---|
| Product | Archive_Tar |
| Name | PEAR Archive_Tar Deserialization of Untrusted Data Vulnerability |
| Required Action | Apply updates per vendor instructions. |
| Notes | https://pear.php.net/bugs/bug.php?id=27002, https://www.drupal.org/sa-core-2020-013, https://access.redhat.com/security/cve/cve-2020-28949; https://nvd.nist.gov/vuln/detail/CVE-2020-28949 |
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Debian | Debian Linux | 10.0 | All | All | All |
| Operating System | Debian | Debian Linux | 9.0 | All | All | All |
| Operating System | Debian | Debian Linux | 10.0 | All | All | All |
| Operating System | Debian | Debian Linux | 9.0 | All | All | All |
| Application | Drupal | Drupal | All | All | All | All |
| Application | Drupal | Drupal | All | All | All | All |
| Operating System | Fedoraproject | Fedora | 32 | All | All | All |
| Operating System | Fedoraproject | Fedora | 33 | All | All | All |
| Operating System | Fedoraproject | Fedora | 34 | All | All | All |
| Operating System | Fedoraproject | Fedora | 35 | All | All | All |
| Operating System | Fedoraproject | Fedora | 32 | All | All | All |
| Operating System | Fedoraproject | Fedora | 33 | All | All | All |
| Application | Php | Archive Tar | All | All | All | All |
| Application | Php | Archive Tar | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| [SECURITY] Fedora 33 Update: php-pear-1.10.12-4.fc33 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | Third Party Advisory |
| [SECURITY] Fedora 35 Update: drupal7-7.82-1.fc35 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [SECURITY] Fedora 33 Update: drupal8-8.9.11-1.fc33 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [SECURITY] Fedora 32 Update: drupal8-8.9.11-1.fc32 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [SECURITY] [DLA 2466-1] drupal7 security update | MLIST | lists.debian.org | Mailing List, Third Party Advisory |
| PEAR Archive_Tar Arbitrary File Write ≈ Packet Storm | MISC | packetstormsecurity.com | Exploit, Third Party Advisory, VDB Entry |
| [SECURITY] Fedora 34 Update: drupal7-7.82-1.fc34 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| Multiple vulnerabilities through filename manipulation · Issue #33 · pear/Archive_Tar · GitHub | MISC | github.com | Exploit, Issue Tracking, Third Party Advisory |
| [SECURITY] Fedora 33 Update: php-pear-1.10.12-4.fc33 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [SECURITY] Fedora 33 Update: drupal8-8.9.11-1.fc33 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | Third Party Advisory |
| [SECURITY] Fedora 35 Update: drupal7-7.82-1.fc35 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| [SECURITY] Fedora 34 Update: drupal7-7.82-1.fc34 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [SECURITY] Fedora 32 Update: php-pear-1.10.12-4.fc32 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | Third Party Advisory |
| Debian -- Security Information -- DSA-4817-1 php-pear | DEBIAN | www.debian.org | Third Party Advisory |
| [SECURITY] Fedora 32 Update: php-pear-1.10.12-4.fc32 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| PEAR Archive_Tar: Directory traversal (GLSA 202101-23) — Gentoo security | GENTOO | security.gentoo.org | Third Party Advisory |
| [SECURITY] Fedora 32 Update: drupal8-8.9.11-1.fc32 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | Third Party Advisory |
| Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2020-013 | Drupal.org | CONFIRM | www.drupal.org | Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
| CISA Known Exploited Vulnerabilities catalog | CISA | www.cisa.gov | kev |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 154101 Drupal Core Arbitrary Code Execution Vulnerability (SA-CORE-2020-013)
- 160100 Oracle Enterprise Linux Security Update for php:7.4 (ELSA-2022-6542)
- 160197 Oracle Enterprise Linux Security Update for php-pear (ELSA-2022-7340)
- 240672 Red Hat Update for php:7.4 (RHSA-2022:6542)
- 240674 Red Hat Update for php:7.4 (RHSA-2022:6541)
- 240810 Red Hat Update for php-pear (RHSA-2022:7340)
- 281914 Fedora Security Update for drupal7 (FEDORA-2021-8093e197f4)
- 377605 Alibaba Cloud Linux Security Update for php:7.4 (ALINUX3-SA-2022:0161)
- 377760 Alibaba Cloud Linux Security Update for php-pear (ALINUX2-SA-2022:0052)
- 500879 Alpine Linux Security Update for drupal7
- 504703 Alpine Linux Security Update for drupal7
- 670917 EulerOS Security Update for php-pear (EulerOS-SA-2021-1345)
- 940671 AlmaLinux Security Update for php:7.4 (ALSA-2022:6542)
- 960355 Rocky Linux Security Update for php:7.4 (RLSA-2022:6542)