⚠ Actively exploited
Added to CISA KEV on 2022-08-25. Federal agencies required to patch by 2022-09-15. Required action: Apply updates per vendor instructions..

CVE-2020-28949

CWE-74CWE-20Improper Input ValidationCWE-94Code Injection19 documents10 sources
Severity
7.8HIGH
EPSS
93.0%
top 0.22%
CISA KEV
KEV
Added 2022-08-25
Due 2022-09-15
Exploit
Exploited in wild
Active exploitation observed
Affected products
6
Drupal DrupalPHP Archive TARDrupal Core+3 more
Timeline
PublishedNov 19
KEV addedAug 25
KEV dueSep 15
Latest updateSep 3
CISA Required Action: Apply updates per vendor instructions.

Description

Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages6 packages

Packagistdrupal/core8.0.08.8.12+3
NVDdrupal/drupal7.07.75+3
NVDphp/archive_tar< 1.4.12
Packagistpear/archive_tar< 1.4.11
Ubuntudrupal7< 7.44-1ubuntu1~16.04.0+esm2

Also affects: Debian Linux 10.0, 9.0, Fedora 32, 33, 34, 35

🔴Vulnerability Details

11
OSV
drupal7 vulnerabilities2024-09-03
OSV
drupal7 vulnerabilities2024-08-27
GHSA
Drupal core Arbitrary PHP code execution2024-05-15
OSV
Drupal core Arbitrary PHP code execution2024-05-15
GHSA
Multiple vulnerabilities through filename manipulation in Archive_Tar2021-04-22

📋Vendor Advisories

7
Ubuntu
Drupal vulnerabilities2024-09-03
Ubuntu
Drupal vulnerabilities2024-08-27
CISA
PEAR Archive_Tar Deserialization of Untrusted Data Vulnerability2022-08-25
Ubuntu
PEAR vulnerabilities2020-12-01
Drupal
Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2020-0132020-11-25
CVE-2020-28949 (HIGH CVSS 7.8) | Archive_Tar through 1.4.10 has :// | cvebase.io