CVE-2020-28948
published 2020-11-19CVE-2020-28948: Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked.
PriorityP354high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
EPSS
47.49%
98.7th percentile
Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked.
Affected
25 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | php-pear | < php-pear 1:1.10.12+submodules+notgz+20210212-1 (bookworm) | php-pear 1:1.10.12+submodules+notgz+20210212-1 (bookworm) |
| debian | php-pear | < php-pear 1:1.10.9+submodules+notgz-1.1 (bookworm) | php-pear 1:1.10.9+submodules+notgz-1.1 (bookworm) |
| drupal | core | >= 7.0.0 < 7.75 | 7.75 |
| drupal | core | >= 8.0.0 < 8.8.12 | 8.8.12 |
| drupal | core | >= 8.9.0 < 8.9.10 | 8.9.10 |
| drupal | core | >= 9.0.0 < 9.0.9 | 9.0.9 |
| drupal | drupal | >= 7.0 < 7.78 | 7.78 |
| drupal | drupal | >= 7.0 < 7.75 | 7.75 |
| drupal | drupal | >= 8.0.0 < 8.9.10 | 8.9.10 |
| drupal | drupal | >= 8.8.0 < 8.8.12 | 8.8.12 |
| drupal | drupal | >= 8.9.0 < 8.9.13 | 8.9.13 |
| drupal | drupal | >= 9.0.0 < 9.0.11 | 9.0.11 |
| drupal | drupal | >= 9.0.0 < 9.0.9 | 9.0.9 |
| drupal | drupal | >= 9.1.0 < 9.1.3 | 9.1.3 |
| drupal | drupal_core | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| pear | archive_tar | >= 0 < 1.4.13 | 1.4.13 |
| pear | archive_tar | >= 0 < 1.4.11 | 1.4.11 |
| php | archive_tar | < 1.4.11 | 1.4.11 |
| php | archive_tar | <= 1.4.11 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect case-insensitive PHAR stream wrapper bypass: monitor for 'PHAR:' (uppercase) in file upload paths or archive extraction routines, as the block only covered lowercase 'phar:' ↗
- →Alert on upload or processing of .tar, .tar.gz, .bz2, or .tlz files by untrusted users in Drupal environments, as these file types are the attack surface for exploitation ↗
- →Monitor for directory traversal sequences (/../) in archive filenames processed by Tar.php (Archive_Tar), indicating exploitation of the symbolic link traversal vulnerability ↗
- →Flag Drupal instances running versions prior to 9.0.9, 8.9.10, 8.8.12, or 7.75 as vulnerable; known exploits exist in the wild for this dependency ↗
- ·Exploitation requires Drupal to be configured to allow untrusted users to upload archive file types; disabling these upload types mitigates the risk without patching ↗
- ·php-pear on RHEL 7.2, 7.3, and Software Collections (rh-php73) will not receive patches; detection must rely on network/behavioral controls for those environments ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
ghsa7.8HIGH
osv8.8HIGH
vendor_ubuntu8.8HIGH
vendor_debian7.8HIGH
vendor_redhat7.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
drupal7 vulnerabilities
osv·2024-09-03·CVSS 8.8
CVE-2020-13671 [HIGH] drupal7 vulnerabilities
drupal7 vulnerabilities
USN-6981-1 fixed vulnerabilities in Drupal. This update provides the
corresponding updates for Ubuntu 14.04 LTS.
Original advisory details:
It was discovered that Drupal incorrectly sanitized uploaded filenames. A
remote attacker could possibly use this issue to execute arbitrary code.
(CVE-2020-13671)
It was discovered that Drupal incorrectly sanitized archived filenames. A
remote attacker could possibly use this issue to overwrite arbitrary
files, or execute arbitrary code. (CVE-2020-28948, CVE-2020-28949)
OSV
drupal7 vulnerabilities
osv·2024-08-27·CVSS 8.8
CVE-2020-13671 [HIGH] drupal7 vulnerabilities
drupal7 vulnerabilities
It was discovered that Drupal incorrectly sanitized uploaded filenames. A
remote attacker could possibly use this issue to execute arbitrary code.
(CVE-2020-13671)
It was discovered that Drupal incorrectly sanitized archived filenames. A
remote attacker could possibly use this issue to overwrite arbitrary files,
or execute arbitrary code. (CVE-2020-28948, CVE-2020-28949)
GHSA
Drupal core Arbitrary PHP code execution
ghsa·2024-05-15·CVSS 7.8
CVE-2020-28948 [HIGH] CWE-94 Drupal core Arbitrary PHP code execution
Drupal core Arbitrary PHP code execution
The Drupal project uses the PEAR Archive_Tar library. The PEAR Archive_Tar library has released a security update that impacts Drupal. For more information please see:
CVE-2020-28948
CVE-2020-28949
Multiple vulnerabilities are possible if Drupal is configured to allow .tar, .tar.gz, .bz2, or .tlz file uploads and processes them.
To mitigate this issue, prevent untrusted users from uploading .tar, .tar.gz, .bz2, or .tlz files.
OSV
Drupal core Arbitrary PHP code execution
osv·2024-05-15·CVSS 7.8
CVE-2020-28948 [HIGH] Drupal core Arbitrary PHP code execution
Drupal core Arbitrary PHP code execution
The Drupal project uses the PEAR Archive_Tar library. The PEAR Archive_Tar library has released a security update that impacts Drupal. For more information please see:
CVE-2020-28948
CVE-2020-28949
Multiple vulnerabilities are possible if Drupal is configured to allow .tar, .tar.gz, .bz2, or .tlz file uploads and processes them.
To mitigate this issue, prevent untrusted users from uploading .tar, .tar.gz, .bz2, or .tlz files.
OSV
Directory Traversal in Archive_Tar
osv·2021-04-22·CVSS 7.8
CVE-2020-36193 [HIGH] Directory Traversal in Archive_Tar
Directory Traversal in Archive_Tar
Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.
### :exclamation: Note:
There was an [initial fix](https://github.com/pear/Archive_Tar/commit/cde460582ff389404b5b3ccb59374e9b389de916) for this vulnerability made in version `1.4.12`. That fix introduced a bug which was [fixed in 1.4.13](https://github.com/pear/Archive_Tar/pull/36). Therefore we have set the first-patched-version to `1.4.13` which the earliest working version that avoids this vulnerability.
OSV
Multiple vulnerabilities through filename manipulation in Archive_Tar
osv·2021-04-22
CVE-2020-28948 [HIGH] Multiple vulnerabilities through filename manipulation in Archive_Tar
Multiple vulnerabilities through filename manipulation in Archive_Tar
Archive_Tar through 1.4.10 has `://` filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as `file://` to overwrite files) can still succeed. See: https://github.com/pear/Archive_Tar/issues/33
OSV
Deserialization of Untrusted Data in Archive_Tar
osv·2021-04-22
CVE-2020-28948 [HIGH] Deserialization of Untrusted Data in Archive_Tar
Deserialization of Untrusted Data in Archive_Tar
Archive_Tar through 1.4.10 allows an unserialization attack because `phar:` is blocked but `PHAR:` is not blocked. See: https://github.com/pear/Archive_Tar/issues/33
GHSA
Directory Traversal in Archive_Tar
ghsa·2021-04-22·CVSS 7.8
CVE-2020-36193 [HIGH] CWE-22 Directory Traversal in Archive_Tar
Directory Traversal in Archive_Tar
Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.
### :exclamation: Note:
There was an [initial fix](https://github.com/pear/Archive_Tar/commit/cde460582ff389404b5b3ccb59374e9b389de916) for this vulnerability made in version `1.4.12`. That fix introduced a bug which was [fixed in 1.4.13](https://github.com/pear/Archive_Tar/pull/36). Therefore we have set the first-patched-version to `1.4.13` which the earliest working version that avoids this vulnerability.
GHSA
Deserialization of Untrusted Data in Archive_Tar
ghsa·2021-04-22
CVE-2020-28948 [HIGH] CWE-502 Deserialization of Untrusted Data in Archive_Tar
Deserialization of Untrusted Data in Archive_Tar
Archive_Tar through 1.4.10 allows an unserialization attack because `phar:` is blocked but `PHAR:` is not blocked. See: https://github.com/pear/Archive_Tar/issues/33
OSV
CVE-2020-36193: Tar
osv·2021-01-18·CVSS 7.8
CVE-2020-36193 [HIGH] CVE-2020-36193: Tar
Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.
OSV
CVE-2020-28948: The Drupal project uses the PEAR Archive\_Tar library
osv·2020-11-25·CVSS 7.8
CVE-2020-28948 [HIGH] CVE-2020-28948: The Drupal project uses the PEAR Archive\_Tar library
The Drupal project uses the PEAR Archive\_Tar library. The PEAR Archive\_Tar library has released a security update that impacts Drupal. For more information please see:
* [CVE-2020-28948](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28948)
* [CVE-2020-28949](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28949)
Multiple vulnerabilities are possible if Drupal is configured to allow `.tar`, `.tar.gz`, `.bz2`, or `.tlz` file uploads and processes them.
**To mitigate this issue, prevent untrusted users from uploading `.tar`, `.tar.gz`, `.bz2`, or `.tlz` files.**
This is a different issue than [SA-CORE-2019-012](https://www.drupal.org/sa-core-2019-012). Similar configuration changes may mitigate the problem until you are able to patch.
OSV
CVE-2020-28948: Archive_Tar through 1
osv·2020-11-19·CVSS 7.8
CVE-2020-28948 [HIGH] CVE-2020-28948: Archive_Tar through 1
Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked.
Ubuntu
Drupal vulnerabilities
vendor_ubuntu·2024-09-03·CVSS 8.8
CVE-2020-13671 [HIGH] Drupal vulnerabilities
Title: Drupal vulnerabilities
Summary: Drupal could be made to crash or run programs if it received
specially crafted network traffic.
USN-6981-1 fixed vulnerabilities in Drupal. This update provides the
corresponding updates for Ubuntu 14.04 LTS.
Original advisory details:
It was discovered that Drupal incorrectly sanitized uploaded filenames. A
remote attacker could possibly use this issue to execute arbitrary code.
(CVE-2020-13671)
It was discovered that Drupal incorrectly sanitized archived filenames. A
remote attacker could possibly use this issue to overwrite arbitrary
files, or execute arbitrary code. (CVE-2020-28948, CVE-2020-28949)
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
Drupal vulnerabilities
vendor_ubuntu·2024-08-27·CVSS 8.8
CVE-2020-13671 [HIGH] Drupal vulnerabilities
Title: Drupal vulnerabilities
Summary: Drupal could be made to crash or run programs if it received
specially crafted network traffic.
It was discovered that Drupal incorrectly sanitized uploaded filenames. A
remote attacker could possibly use this issue to execute arbitrary code.
(CVE-2020-13671)
It was discovered that Drupal incorrectly sanitized archived filenames. A
remote attacker could possibly use this issue to overwrite arbitrary files,
or execute arbitrary code. (CVE-2020-28948, CVE-2020-28949)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
Archive_Tar: directory traversal due to inadequate checking of symbolic links
vendor_redhat·2021-01-27·CVSS 7.8
CVE-2020-36193 [HIGH] CWE-22 Archive_Tar: directory traversal due to inadequate checking of symbolic links
Archive_Tar: directory traversal due to inadequate checking of symbolic links
Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.
A flaw was found in the Archive_Tar package. Archive_Tar could allow a remote attacker to traverse directories on the system caused by inadequate checking of symbolic links. An attacker could send a specially-crafted URL request to the Tar.php script containing "dot dot" sequences (/../) to modify arbitrary files on the system.
Statement: php-pear 7.2 and 7.3 have been marked End of Life at the time this CVE was released. Therefore no patches would be made available for those versions.
Package: php-pear (Red Hat Enterprise Linux 6) - Out of sup
Ubuntu
PEAR vulnerabilities
vendor_ubuntu·2020-12-01
CVE-2020-28948 PEAR vulnerabilities
Title: PEAR vulnerabilities
Summary: PEAR could be made to run programs as an administrator.
It was discovered that PEAR incorrectly sanitized filenames. A remote
attacker could possibly use this issue to execute arbitrary code.
Instructions: In general, a standard system update will make all the necessary changes.
Drupal
Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2020-013
vendor_drupal·2020-11-25·CVSS 7.8
CVE-2020-28949 [HIGH] Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2020-013
Title: Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2020-013
Vulnerability Type: Arbitrary PHP code execution
Description: The Drupal project uses the PEAR Archive_Tar library. The PEAR Archive_Tar library has released a security update that impacts Drupal. For more information please see: CVE-2020-28948 CVE-2020-28949 Multiple vulnerabilities are possible if Drupal is configured to allow .tar , .tar.gz , .bz2 , or .tlz file uploads and processes them. To mitigate this issue, prevent untrusted users from uploading .tar , .tar.gz , .bz2 , or .tlz files. This is a different issue than SA-CORE-2019-012 . Similar configuration changes may mitigate the problem until you are able to patch.
Solution: Install the latest version: If you are using Drupal 9.0, update to Drupal 9
Red Hat
Archive_Tar: allows an unserialization attack because phar: is blocked but PHAR: is not blocked
vendor_redhat·2020-11-19·CVSS 7.8
CVE-2020-28948 [HIGH] CWE-502 Archive_Tar: allows an unserialization attack because phar: is blocked but PHAR: is not blocked
Archive_Tar: allows an unserialization attack because phar: is blocked but PHAR: is not blocked
Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked.
Statement: PHP 7.2 and 7.3 marked End of Life at the time this CVE was released. There would be no patches made available for php-pear.
Package: php-pear (Red Hat Enterprise Linux 6) - Out of support scope
Package: php:7.2/php-pear (Red Hat Enterprise Linux 8) - Will not fix
Package: php:7.3/php-pear (Red Hat Enterprise Linux 8) - Will not fix
Package: rh-php73-php-pear (Red Hat Software Collections) - Will not fix
Debian
CVE-2020-36193: php-pear - Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Tra...
vendor_debian·2020·CVSS 7.8
CVE-2020-36193 [HIGH] CVE-2020-36193: php-pear - Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Tra...
Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.
Scope: local
bookworm: resolved (fixed in 1:1.10.12+submodules+notgz+20210212-1)
bullseye: resolved (fixed in 1:1.10.12+submodules+notgz+20210212-1)
forky: resolved (fixed in 1:1.10.12+submodules+notgz+20210212-1)
sid: resolved (fixed in 1:1.10.12+submodules+notgz+20210212-1)
trixie: resolved (fixed in 1:1.10.12+submodules+notgz+20210212-1)
Debian
CVE-2020-28948: php-pear - Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blo...
vendor_debian·2020·CVSS 7.8
CVE-2020-28948 [HIGH] CVE-2020-28948: php-pear - Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blo...
Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked.
Scope: local
bookworm: resolved (fixed in 1:1.10.9+submodules+notgz-1.1)
bullseye: resolved (fixed in 1:1.10.9+submodules+notgz-1.1)
forky: resolved (fixed in 1:1.10.9+submodules+notgz-1.1)
sid: resolved (fixed in 1:1.10.9+submodules+notgz-1.1)
trixie: resolved (fixed in 1:1.10.9+submodules+notgz-1.1)
No detection rules found.
No public exploits indexed.
https://github.com/pear/Archive_Tar/issues/33https://lists.debian.org/debian-lts-announce/2020/11/msg00045.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/42GPGVVFTLJYAKRI75IVB5R45NYQGEUR/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4V35LBRM6HBCXBVCITKQ4UEBTXO2EG7B/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NBYZSHYTIOBK6V7C4N7TP6KIKCRKLVWP/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VJQQYDAOWHD6RDITDRPHFW7WY6BS3V5N/https://security.gentoo.org/glsa/202101-23https://www.debian.org/security/2020/dsa-4817https://www.drupal.org/sa-core-2020-013https://github.com/pear/Archive_Tar/issues/33https://lists.debian.org/debian-lts-announce/2020/11/msg00045.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/42GPGVVFTLJYAKRI75IVB5R45NYQGEUR/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4V35LBRM6HBCXBVCITKQ4UEBTXO2EG7B/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NBYZSHYTIOBK6V7C4N7TP6KIKCRKLVWP/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VJQQYDAOWHD6RDITDRPHFW7WY6BS3V5N/https://security.gentoo.org/glsa/202101-23https://www.debian.org/security/2020/dsa-4817https://www.drupal.org/sa-core-2020-013
2020-11-19
Published