CVE-2018-1000888
published 2018-12-28CVE-2018-1000888: PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the Archive_Tar class. There are several file operations with…
PriorityP266high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
18.29%
96.9th percentile
PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the Archive_Tar class. There are several file operations with `$v_header['filename']` as parameter (such as file_exists, is_file, is_dir, etc). When extract is called without a specific prefix path, we can trigger unserialization by crafting a tar file with `phar://[path_to_malicious_phar_file]` as path. Object injection can be used to trigger destruct in the loaded PHP classes, e.g. the Archive_Tar class itself. With Archive_Tar object injection, arbitrary file deletion can occur because `@unlink($this->_temp_tarname)` is called. If another class with useful gadget is loaded, it may possible to cause remote code execution that can result in files being deleted or possibly modified. This vulnerability appears to have been fixed in 1.4.4.
Affected
20 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | php-pear | < php-pear 1:1.10.6+submodules+notgz-1.1 (bookworm) | php-pear 1:1.10.6+submodules+notgz-1.1 (bookworm) |
| drupal | core | >= 8.0.0 < 8.5.9 | 8.5.9 |
| drupal | core | >= 8.6.0 < 8.6.6 | 8.6.6 |
| drupal | drupal | >= 7.0 < 7.62 | 7.62 |
| drupal | drupal | >= 7.0.0 < 7.62.0 | 7.62.0 |
| drupal | drupal | >= 8.0.0 < 8.5.9 | 8.5.9 |
| drupal | drupal | >= 8.5.0 < 8.5.9 | 8.5.9 |
| drupal | drupal | >= 8.6.0 < 8.6.6 | 8.6.6 |
| drupal | drupal | >= 8.6.0 < 8.6.6 | 8.6.6 |
| drupal | drupal_core | — | — |
| drupal | drupal_core | >= 7.x < 7.62 | 7.62 |
| drupal | drupal_core | >= 8.5.x < 8.5.9 | 8.5.9 |
| drupal | drupal_core | >= 8.6.x < 8.6.6. | 8.6.6. |
| pear | archive_tar | >= 0 < 1.4.4 | 1.4.4 |
| php | pear_archive_tar | <= 1.4.3 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect tar archives containing entries with a 'phar://' scheme path as the filename, which is the trigger for PHP unserialization via Archive_Tar's extract() method. ↗
- →Monitor for PHP processes invoking unlink() on temporary tar filenames immediately after tar/phar extraction operations, which may indicate Archive_Tar destructor-based object injection. ↗
- →Inspect tar archive entry filenames ($v_header['filename']) for 'phar://' prefixes during file operations such as file_exists, is_file, is_dir — these are the code paths exploited. ↗
- ·The vulnerability is only exploitable when Archive_Tar's extract() is called WITHOUT a specific prefix path; supplying a prefix path prevents the phar:// unserialization trigger. ↗
- ·Remote code execution (beyond arbitrary file deletion) requires that another class with a useful gadget chain is loaded in the PHP runtime alongside Archive_Tar. ↗
- ·Drupal installations are only impacted in configurations that use the PEAR Archive_Tar library; not all Drupal configurations are affected. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
ghsa8.8HIGH
osv8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Drupal
Drupal core - Critical - Third Party Libraries - SA-CORE-2019-001
vendor_drupal·2019-01-16·CVSS 8.8
CVE-2019-6338 [HIGH] Drupal core - Critical - Third Party Libraries - SA-CORE-2019-001
Title: Drupal core - Critical - Third Party Libraries - SA-CORE-2019-001
Vulnerability Type: Third Party Libraries
Description: Drupal core uses the third-party PEAR Archive_Tar library. This library has released a security update which impacts some Drupal configurations. Refer to CVE-2018-1000888 for details.
Solution: If you are using Drupal 8.6.x, upgrade to Drupal 8.6.6 . If you are using Drupal 8.5.x or earlier, upgrade to Drupal 8.5.9 . If you are using Drupal 7.x, upgrade to Drupal 7.62 . Versions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.
Ubuntu
PEAR vulnerability
vendor_ubuntu·2019-01-14
CVE-2018-1000888 PEAR vulnerability
Title: PEAR vulnerability
Summary: PEAR could be made to run programs if it processed a specially crafted
file.
Fariskhi Vidyan discovered that PEAR Archive_Tar incorrectly handled
certain archive paths. A remote attacker could possibly use this issue to
execute arbitrary code.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
php-pear: Unsafe deserialization of data in Archive_Tar class
vendor_redhat·2018-12-28·CVSS 8.8
CVE-2018-1000888 [HIGH] CWE-502 php-pear: Unsafe deserialization of data in Archive_Tar class
php-pear: Unsafe deserialization of data in Archive_Tar class
PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the Archive_Tar class. There are several file operations with `$v_header['filename']` as parameter (such as file_exists, is_file, is_dir, etc). When extract is called without a specific prefix path, we can trigger unserialization by crafting a tar file with `phar://[path_to_malicious_phar_file]` as path. Object injection can be used to trigger destruct in the loaded PHP classes, e.g. the Archive_Tar class itself. With Archive_Tar object injection, arbitrary file deletion can occur because `@unlink($this->_temp_tarname)` is called. If another class with useful gadget is loaded, it may possible to cause remote code execution that can result in
Debian
CVE-2018-1000888: php-pear - PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerabi...
vendor_debian·2018·CVSS 8.8
CVE-2018-1000888 [HIGH] CVE-2018-1000888: php-pear - PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerabi...
PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the Archive_Tar class. There are several file operations with `$v_header['filename']` as parameter (such as file_exists, is_file, is_dir, etc). When extract is called without a specific prefix path, we can trigger unserialization by crafting a tar file with `phar://[path_to_malicious_phar_file]` as path. Object injection can be used to trigger destruct in the loaded PHP classes, e.g. the Archive_Tar class itself. With Archive_Tar object injection, arbitrary file deletion can occur because `@unlink($this->_temp_tarname)` is called. If another class with useful gadget is loaded, it may possible to cause remote code execution that can result in files being deleted or possibly modified. This vulnerability a
GHSA
Archive_Tar contains Potential RCE if filename starts with phar://
ghsa·2023-07-07
CVE-2018-1000888 [HIGH] Archive_Tar contains Potential RCE if filename starts with phar://
Archive_Tar contains Potential RCE if filename starts with phar://
PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the Archive_Tar class. There are several file operations with `$v_header['filename']` as parameter (such as file_exists, is_file, is_dir, etc). When extract is called without a specific prefix path, we can trigger unserialization by crafting a tar file with `phar://[path_to_malicious_phar_file]` as path. Object injection can be used to trigger destruct in the loaded PHP classes, e.g. the Archive_Tar class itself. With Archive_Tar object injection, arbitrary file deletion can occur because `@unlink($this->_temp_tarname)` is called. If another class with useful gadget is loaded, it may possible to cause remote code execution that can resu
OSV
Archive_Tar contains Potential RCE if filename starts with phar://
osv·2023-07-07
CVE-2018-1000888 [HIGH] Archive_Tar contains Potential RCE if filename starts with phar://
Archive_Tar contains Potential RCE if filename starts with phar://
PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the Archive_Tar class. There are several file operations with `$v_header['filename']` as parameter (such as file_exists, is_file, is_dir, etc). When extract is called without a specific prefix path, we can trigger unserialization by crafting a tar file with `phar://[path_to_malicious_phar_file]` as path. Object injection can be used to trigger destruct in the loaded PHP classes, e.g. the Archive_Tar class itself. With Archive_Tar object injection, arbitrary file deletion can occur because `@unlink($this->_temp_tarname)` is called. If another class with useful gadget is loaded, it may possible to cause remote code execution that can resu
GHSA
Drupal core third-party PEAR Archive_Tar library is vulnerable to Deserialization of Untrusted Data
ghsa·2019-12-02·CVSS 8.8
CVE-2019-6338 [HIGH] CWE-502 Drupal core third-party PEAR Archive_Tar library is vulnerable to Deserialization of Untrusted Data
Drupal core third-party PEAR Archive_Tar library is vulnerable to Deserialization of Untrusted Data
In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; Drupal core uses the third-party PEAR Archive_Tar library. This library has released a security update which impacts some Drupal configurations. Refer to CVE-2018-1000888 for details
OSV
Drupal core third-party PEAR Archive_Tar library is vulnerable to Deserialization of Untrusted Data
osv·2019-12-02·CVSS 8.8
CVE-2019-6338 [HIGH] Drupal core third-party PEAR Archive_Tar library is vulnerable to Deserialization of Untrusted Data
Drupal core third-party PEAR Archive_Tar library is vulnerable to Deserialization of Untrusted Data
In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; Drupal core uses the third-party PEAR Archive_Tar library. This library has released a security update which impacts some Drupal configurations. Refer to CVE-2018-1000888 for details
OSV
CVE-2019-6338: In Drupal Core versions 7
osv·2019-01-22·CVSS 8.8
CVE-2019-6338 [HIGH] CVE-2019-6338: In Drupal Core versions 7
In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; Drupal core uses the third-party PEAR Archive_Tar library. This library has released a security update which impacts some Drupal configurations. Refer to CVE-2018-1000888 for details
OSV
CVE-2019-6338: Drupal core uses the third-party PEAR Archive\_Tar library
osv·2019-01-16·CVSS 8.8
CVE-2019-6338 [HIGH] CVE-2019-6338: Drupal core uses the third-party PEAR Archive\_Tar library
Drupal core uses the third-party PEAR Archive\_Tar library. This library has released a security update which impacts some Drupal configurations. Refer to [CVE-2018-1000888](https://nvd.nist.gov/vuln/detail/CVE-2018-1000888) for details.
OSV
CVE-2018-1000888: PEAR Archive_Tar version 1
osv·2018-12-28·CVSS 8.8
CVE-2018-1000888 [HIGH] CVE-2018-1000888: PEAR Archive_Tar version 1
PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the Archive_Tar class. There are several file operations with `$v_header['filename']` as parameter (such as file_exists, is_file, is_dir, etc). When extract is called without a specific prefix path, we can trigger unserialization by crafting a tar file with `phar://[path_to_malicious_phar_file]` as path. Object injection can be used to trigger destruct in the loaded PHP classes, e.g. the Archive_Tar class itself. With Archive_Tar object injection, arbitrary file deletion can occur because `@unlink($this->_temp_tarname)` is called. If another class with useful gadget is loaded, it may possible to cause remote code execution that can result in files being deleted or possibly modified. This vulnerability a
No detection rules found.
Bugzilla
CVE-2018-1000888 php-pear: Unsafe deserialization of data in Archive_Tar class
bugzilla·2019-01-25·CVSS 8.8
CVE-2018-1000888 [HIGH] CVE-2018-1000888 php-pear: Unsafe deserialization of data in Archive_Tar class
CVE-2018-1000888 php-pear: Unsafe deserialization of data in Archive_Tar class
PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the Archive_Tar class. There are several file operations with `$v_header['filename']` as parameter (such as file_exists, is_file, is_dir, etc). When extract is called without a specific prefix path, we can trigger unserialization by crafting a tar file with `phar://[path_to_malicious_phar_file]` as path. Object injection can be used to trigger destruct in the loaded PHP classes, e.g. the Archive_Tar class itself. With Archive_Tar object injection, arbitrary file deletion can occur because `@unlink($this->_temp_tarname)` is called. If another class with useful gadget is loaded, it may possible to cause remote code execution t
Bugzilla
CVE-2018-1000888 php-pear: Unsafe deserialization of data in Archive_Tar class [fedora-all]
bugzilla·2019-01-25·CVSS 8.8
CVE-2018-1000888 [HIGH] CVE-2018-1000888 php-pear: Unsafe deserialization of data in Archive_Tar class [fedora-all]
CVE-2018-1000888 php-pear: Unsafe deserialization of data in Archive_Tar class [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supp
Bugzilla
CVE-2019-6338 drupal: Vulnerability in the embedded PEAR Archive_Tar library
bugzilla·2019-01-23·CVSS 8.8
CVE-2019-6338 [HIGH] CVE-2019-6338 drupal: Vulnerability in the embedded PEAR Archive_Tar library
CVE-2019-6338 drupal: Vulnerability in the embedded PEAR Archive_Tar library
Drupal core uses the third-party PEAR Archive_Tar library. This library has released a security update which impacts some Drupal configurations. Refer to CVE-2018-1000888 for details
Upstream Issue:
https://www.drupal.org/sa-core-2019-001
Discussion:
Created drupal tracking bugs for this issue:
Affects: fedora-all [bug 1668758]
---
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.
https://blog.ripstech.com/2018/new-php-exploitation-technique/https://cdn2.hubspot.net/hubfs/3853213/us-18-Thomas-It%27s-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-....pdfhttps://lists.debian.org/debian-lts-announce/2019/02/msg00020.htmlhttps://pear.php.net/bugs/bug.php?id=23782https://pear.php.net/package/Archive_Tar/download/https://security.gentoo.org/glsa/202006-14https://usn.ubuntu.com/3857-1/https://www.debian.org/security/2019/dsa-4378https://www.exploit-db.com/exploits/46108/https://blog.ripstech.com/2018/new-php-exploitation-technique/https://cdn2.hubspot.net/hubfs/3853213/us-18-Thomas-It%27s-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-....pdfhttps://lists.debian.org/debian-lts-announce/2019/02/msg00020.htmlhttps://pear.php.net/bugs/bug.php?id=23782https://pear.php.net/package/Archive_Tar/download/https://security.gentoo.org/glsa/202006-14https://usn.ubuntu.com/3857-1/https://www.debian.org/security/2019/dsa-4378https://www.exploit-db.com/exploits/46108/
2018-12-28
Published