cbcvebase.
CVE-2020-28948
published 2020-11-19

CVE-2020-28948: Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked.

PriorityP354high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
EPSS
47.49%
98.7th percentile
Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked.

Affected

25 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
debianphp-pear< php-pear 1:1.10.12+submodules+notgz+20210212-1 (bookworm)php-pear 1:1.10.12+submodules+notgz+20210212-1 (bookworm)
debianphp-pear< php-pear 1:1.10.9+submodules+notgz-1.1 (bookworm)php-pear 1:1.10.9+submodules+notgz-1.1 (bookworm)
drupalcore>= 7.0.0 < 7.757.75
drupalcore>= 8.0.0 < 8.8.128.8.12
drupalcore>= 8.9.0 < 8.9.108.9.10
drupalcore>= 9.0.0 < 9.0.99.0.9
drupaldrupal>= 7.0 < 7.787.78
drupaldrupal>= 7.0 < 7.757.75
drupaldrupal>= 8.0.0 < 8.9.108.9.10
drupaldrupal>= 8.8.0 < 8.8.128.8.12
drupaldrupal>= 8.9.0 < 8.9.138.9.13
drupaldrupal>= 9.0.0 < 9.0.119.0.11
drupaldrupal>= 9.0.0 < 9.0.99.0.9
drupaldrupal>= 9.1.0 < 9.1.39.1.3
drupaldrupal_core
fedoraprojectfedora
fedoraprojectfedora
fedoraprojectfedora
fedoraprojectfedora
peararchive_tar>= 0 < 1.4.131.4.13
peararchive_tar>= 0 < 1.4.111.4.11
phparchive_tar< 1.4.111.4.11
phparchive_tar<= 1.4.11

Detection & IOCsextracted from sources · hover to see the quote

otherphar: (blocked) vs PHAR: (not blocked) — unserialization attack vector
filename.tar
filename.tar.gz
filename.bz2
filename.tlz
pathTar.php
  • Detect case-insensitive PHAR stream wrapper bypass: monitor for 'PHAR:' (uppercase) in file upload paths or archive extraction routines, as the block only covered lowercase 'phar:'
  • Alert on upload or processing of .tar, .tar.gz, .bz2, or .tlz files by untrusted users in Drupal environments, as these file types are the attack surface for exploitation
  • Monitor for directory traversal sequences (/../) in archive filenames processed by Tar.php (Archive_Tar), indicating exploitation of the symbolic link traversal vulnerability
  • Flag Drupal instances running versions prior to 9.0.9, 8.9.10, 8.8.12, or 7.75 as vulnerable; known exploits exist in the wild for this dependency
  • ·Exploitation requires Drupal to be configured to allow untrusted users to upload archive file types; disabling these upload types mitigates the risk without patching
  • ·php-pear on RHEL 7.2, 7.3, and Software Collections (rh-php73) will not receive patches; detection must rely on network/behavioral controls for those environments

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
ghsa7.8HIGH
osv8.8HIGH
vendor_ubuntu8.8HIGH
vendor_debian7.8HIGH
vendor_redhat7.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.