CVE-2020-36193

MITRE NVD CVE.ORG Print: PDF PDF

Summary

CVECVE-2020-36193
StatePUBLIC
Assigner[email protected]
Source PriorityCVE Program / NVD first with legacy fallback
Published2021-01-18 20:15:00 UTC
Updated2023-11-07 03:22:00 UTC
DescriptionTar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.

Risk And Classification

EPSS: 0.711480000 probability, percentile 0.986990000 (date 2026-04-01)

CISA KEV: Listed on 2022-08-25; due 2022-09-15; ransomware use Unknown

Problem Types: CWE-22 | CWE-59

CISA Known Exploited Vulnerability

VendorPEAR
ProductArchive_Tar
NamePEAR Archive_Tar Improper Link Resolution Vulnerability
Required ActionApply updates per vendor instructions.
Noteshttps://github.com/pear/Archive_Tar/commit/cde460582ff389404b5b3ccb59374e9b389de916, https://www.drupal.org/sa-core-2021-001, https://access.redhat.com/security/cve/cve-2020-36193; https://nvd.nist.gov/vuln/detail/CVE-2020-36193

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Operating System Debian Debian Linux 10.0 All All All
Operating System Debian Debian Linux 9.0 All All All
Operating System Debian Debian Linux 9.0 All All All
Application Drupal Drupal All All All All
Application Drupal Drupal All All All All
Operating System Fedoraproject Fedora 32 All All All
Operating System Fedoraproject Fedora 33 All All All
Operating System Fedoraproject Fedora 34 All All All
Operating System Fedoraproject Fedora 35 All All All
Operating System Fedoraproject Fedora 32 All All All
Operating System Fedoraproject Fedora 33 All All All
Application Php Archive Tar All All All All

References

ReferenceSourceLinkTags
[SECURITY] Fedora 35 Update: drupal7-7.82-1.fc35 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
Debian -- Security Information -- DSA-4894-1 php-pear DEBIAN www.debian.org
[SECURITY] Fedora 34 Update: drupal7-7.82-1.fc34 - package-announce - Fedora Mailing-Lists FEDORA lists.fedoraproject.org
Disallow symlinks to out-of-path filenames · pear/Archive_Tar@cde4605 · GitHub MISC github.com Patch, Third Party Advisory
[SECURITY] Fedora 35 Update: drupal7-7.82-1.fc35 - package-announce - Fedora Mailing-Lists FEDORA lists.fedoraproject.org
[SECURITY] Fedora 33 Update: php-pear-1.10.12-5.fc33 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
[SECURITY] Fedora 34 Update: drupal7-7.82-1.fc34 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
Drupal core - Critical - Third-party libraries - SA-CORE-2021-001 | Drupal.org CONFIRM www.drupal.org Third Party Advisory
[SECURITY] Fedora 32 Update: php-pear-1.10.12-5.fc32 - package-announce - Fedora Mailing-Lists FEDORA lists.fedoraproject.org Third Party Advisory
[SECURITY] [DLA-2530-1] drupal7 security update MLIST lists.debian.org Mailing List, Third Party Advisory
[SECURITY] Fedora 32 Update: php-pear-1.10.12-5.fc32 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
[SECURITY] Fedora 33 Update: php-pear-1.10.12-5.fc33 - package-announce - Fedora Mailing-Lists FEDORA lists.fedoraproject.org Third Party Advisory
PEAR Archive_Tar: Directory traversal (GLSA 202101-23) — Gentoo security GENTOO security.gentoo.org Third Party Advisory
[SECURITY] [DLA 2621-1] php-pear security update MLIST lists.debian.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
CISA Known Exploited Vulnerabilities catalog CISA www.cisa.gov kev

Legacy QID Mappings

  • 154099 Drupal Core Security Update(SA-CORE-2021-001)
  • 160100 Oracle Enterprise Linux Security Update for php:7.4 (ELSA-2022-6542)
  • 160197 Oracle Enterprise Linux Security Update for php-pear (ELSA-2022-7340)
  • 178538 Debian Security Update for php-pear (DLA 2621-1)
  • 178558 Debian Security Update for php-pear (DSA 4894-1)
  • 180930 Debian Security Update for drupal7 (DLA-2530-1)
  • 240672 Red Hat Update for php:7.4 (RHSA-2022:6542)
  • 240674 Red Hat Update for php:7.4 (RHSA-2022:6541)
  • 240810 Red Hat Update for php-pear (RHSA-2022:7340)
  • 281914 Fedora Security Update for drupal7 (FEDORA-2021-8093e197f4)
  • 377605 Alibaba Cloud Linux Security Update for php:7.4 (ALINUX3-SA-2022:0161)
  • 377760 Alibaba Cloud Linux Security Update for php-pear (ALINUX2-SA-2022:0052)
  • 500880 Alpine Linux Security Update for drupal7
  • 504704 Alpine Linux Security Update for drupal7
  • 670340 EulerOS Security Update for php-pear (EulerOS-SA-2021-1884)
  • 670722 EulerOS Security Update for php-pear (EulerOS-SA-2021-2480)
  • 751063 OpenSUSE Security Update for Hypertext Preprocessor (PHP) (openSUSE-SU-2021:2872-1)
  • 751075 SUSE Enterprise Linux Security Update for Hypertext Preprocessor (PHP72) (SUSE-SU-2021:2926-1)
  • 751135 OpenSUSE Security Update for Hypertext Preprocessor7-pear (PHP7-pear) (openSUSE-SU-2021:3018-1)
  • 751138 OpenSUSE Security Update for Hypertext Preprocessor7-pear (PHP7-pear) (openSUSE-SU-2021:1267-1)
  • 940671 AlmaLinux Security Update for php:7.4 (ALSA-2022:6542)
  • 960355 Rocky Linux Security Update for php:7.4 (RLSA-2022:6542)
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report