CVE-2020-28949
published 2020-11-19CVE-2020-28949: Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite…
PriorityP188high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-09-15
Exploited in the wild
EPSS
84.55%
99.7th percentile
Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | php-pear | < php-pear 1:1.10.9+submodules+notgz-1.1 (bookworm) | php-pear 1:1.10.9+submodules+notgz-1.1 (bookworm) |
| drupal | core | >= 7.0.0 < 7.75 | 7.75 |
| drupal | core | >= 8.0.0 < 8.8.12 | 8.8.12 |
| drupal | core | >= 8.9.0 < 8.9.10 | 8.9.10 |
| drupal | core | >= 9.0.0 < 9.0.9 | 9.0.9 |
| drupal | drupal | >= 7.0 < 7.75 | 7.75 |
| drupal | drupal | >= 8.0.0 < 8.9.10 | 8.9.10 |
| drupal | drupal | >= 8.8.0 < 8.8.12 | 8.8.12 |
| drupal | drupal | >= 9.0.0 < 9.0.9 | 9.0.9 |
| drupal | drupal_core | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| pear | archive_tar | >= 0 < 1.4.11 | 1.4.11 |
| php | archive_tar | < 1.4.12 | 1.4.12 |
Detection & IOCsextracted from sources · hover to see the quote
- →Flag tar archive uploads (.tar, .tar.gz, .bz2, .tlz) containing filenames with stream-wrapper prefixes (e.g., file://, phar://, PHAR://) as malicious; these are the attack vectors for CVE-2020-28949. ↗
- →Detect case-variant stream-wrapper bypass: Archive_Tar blocks lowercase 'phar:' but not uppercase 'PHAR:', so inspect filenames inside archives for any case-insensitive :// pattern. ↗
- →Monitor for arbitrary file writes on disk by the PHP process user following tar archive extraction, particularly to sensitive paths, as the exploit writes files with the permissions of the PHP-running user. ↗
- →The Metasploit module 'exploits/multi/fileformat/archive_tar_arb_file_write' targets Archive_Tar <= 1.4.10; alert on use of this module or crafted tar files matching its output pattern. ↗
- ·Drupal installations are only vulnerable if configured to allow untrusted users to upload .tar, .tar.gz, .bz2, or .tlz files; disabling these upload types mitigates the risk without patching. ↗
- ·Red Hat has marked php-pear as 'Will not fix' across RHEL 8 (php:7.2, php:7.3) and Red Hat Software Collections (rh-php73), meaning systems running these packages remain permanently exposed unless mitigated at the application layer. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
ghsa7.8HIGH
osv8.8HIGH
vulncheck7.8HIGH
cisa7.8HIGH
vendor_ubuntu8.8HIGH
vendor_debian7.8HIGH
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
drupal7 vulnerabilities
osv·2024-09-03·CVSS 8.8
CVE-2020-13671 [HIGH] drupal7 vulnerabilities
drupal7 vulnerabilities
USN-6981-1 fixed vulnerabilities in Drupal. This update provides the
corresponding updates for Ubuntu 14.04 LTS.
Original advisory details:
It was discovered that Drupal incorrectly sanitized uploaded filenames. A
remote attacker could possibly use this issue to execute arbitrary code.
(CVE-2020-13671)
It was discovered that Drupal incorrectly sanitized archived filenames. A
remote attacker could possibly use this issue to overwrite arbitrary
files, or execute arbitrary code. (CVE-2020-28948, CVE-2020-28949)
OSV
drupal7 vulnerabilities
osv·2024-08-27·CVSS 8.8
CVE-2020-13671 [HIGH] drupal7 vulnerabilities
drupal7 vulnerabilities
It was discovered that Drupal incorrectly sanitized uploaded filenames. A
remote attacker could possibly use this issue to execute arbitrary code.
(CVE-2020-13671)
It was discovered that Drupal incorrectly sanitized archived filenames. A
remote attacker could possibly use this issue to overwrite arbitrary files,
or execute arbitrary code. (CVE-2020-28948, CVE-2020-28949)
GHSA
Drupal core Arbitrary PHP code execution
ghsa·2024-05-15·CVSS 7.8
CVE-2020-28948 [HIGH] CWE-94 Drupal core Arbitrary PHP code execution
Drupal core Arbitrary PHP code execution
The Drupal project uses the PEAR Archive_Tar library. The PEAR Archive_Tar library has released a security update that impacts Drupal. For more information please see:
CVE-2020-28948
CVE-2020-28949
Multiple vulnerabilities are possible if Drupal is configured to allow .tar, .tar.gz, .bz2, or .tlz file uploads and processes them.
To mitigate this issue, prevent untrusted users from uploading .tar, .tar.gz, .bz2, or .tlz files.
OSV
Drupal core Arbitrary PHP code execution
osv·2024-05-15·CVSS 7.8
CVE-2020-28948 [HIGH] Drupal core Arbitrary PHP code execution
Drupal core Arbitrary PHP code execution
The Drupal project uses the PEAR Archive_Tar library. The PEAR Archive_Tar library has released a security update that impacts Drupal. For more information please see:
CVE-2020-28948
CVE-2020-28949
Multiple vulnerabilities are possible if Drupal is configured to allow .tar, .tar.gz, .bz2, or .tlz file uploads and processes them.
To mitigate this issue, prevent untrusted users from uploading .tar, .tar.gz, .bz2, or .tlz files.
GHSA
Multiple vulnerabilities through filename manipulation in Archive_Tar
ghsa·2021-04-22
CVE-2020-28949 [HIGH] CWE-74 Multiple vulnerabilities through filename manipulation in Archive_Tar
Multiple vulnerabilities through filename manipulation in Archive_Tar
Archive_Tar through 1.4.10 has `://` filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as `file://` to overwrite files) can still succeed. See: https://github.com/pear/Archive_Tar/issues/33
OSV
Multiple vulnerabilities through filename manipulation in Archive_Tar
osv·2021-04-22
CVE-2020-28948 [HIGH] Multiple vulnerabilities through filename manipulation in Archive_Tar
Multiple vulnerabilities through filename manipulation in Archive_Tar
Archive_Tar through 1.4.10 has `://` filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as `file://` to overwrite files) can still succeed. See: https://github.com/pear/Archive_Tar/issues/33
OSV
Deserialization of Untrusted Data in Archive_Tar
osv·2021-04-22
CVE-2020-28948 [HIGH] Deserialization of Untrusted Data in Archive_Tar
Deserialization of Untrusted Data in Archive_Tar
Archive_Tar through 1.4.10 allows an unserialization attack because `phar:` is blocked but `PHAR:` is not blocked. See: https://github.com/pear/Archive_Tar/issues/33
OSV
CVE-2020-28948: The Drupal project uses the PEAR Archive\_Tar library
osv·2020-11-25·CVSS 7.8
CVE-2020-28948 [HIGH] CVE-2020-28948: The Drupal project uses the PEAR Archive\_Tar library
The Drupal project uses the PEAR Archive\_Tar library. The PEAR Archive\_Tar library has released a security update that impacts Drupal. For more information please see:
* [CVE-2020-28948](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28948)
* [CVE-2020-28949](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28949)
Multiple vulnerabilities are possible if Drupal is configured to allow `.tar`, `.tar.gz`, `.bz2`, or `.tlz` file uploads and processes them.
**To mitigate this issue, prevent untrusted users from uploading `.tar`, `.tar.gz`, `.bz2`, or `.tlz` files.**
This is a different issue than [SA-CORE-2019-012](https://www.drupal.org/sa-core-2019-012). Similar configuration changes may mitigate the problem until you are able to patch.
OSV
CVE-2020-28949: Archive_Tar through 1
osv·2020-11-19·CVSS 7.8
CVE-2020-28949 [HIGH] CVE-2020-28949: Archive_Tar through 1
Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed.
VulnCheck
PEAR Archive_Tar Deserialization of Untrusted Data Vulnerability
vulncheck·2020·CVSS 7.8
CVE-2020-28949 [HIGH] CWE-74 PEAR Archive_Tar Deserialization of Untrusted Data Vulnerability
PEAR Archive_Tar Deserialization of Untrusted Data Vulnerability
PEAR Archive_Tar allows an unserialization attack because phar: is blocked but PHAR: is not blocked. PEAR stands for PHP Extension and Application Repository and it is an open-source framework and distribution system for reusable PHP components with known usage in third-party products such as Drupal Core and Red Hat Linux.
Affected: PEAR Archive_Tar
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://info.securin.io/hubfs/Securin%20Ransomware%20Report%202023.pdf; https://www.trustwave.com/hubfs/Web/Library/Documents_pdf/2024_Trustwave_Public_Sector_Threat_Landscape
Ubuntu
Drupal vulnerabilities
vendor_ubuntu·2024-09-03·CVSS 8.8
CVE-2020-13671 [HIGH] Drupal vulnerabilities
Title: Drupal vulnerabilities
Summary: Drupal could be made to crash or run programs if it received
specially crafted network traffic.
USN-6981-1 fixed vulnerabilities in Drupal. This update provides the
corresponding updates for Ubuntu 14.04 LTS.
Original advisory details:
It was discovered that Drupal incorrectly sanitized uploaded filenames. A
remote attacker could possibly use this issue to execute arbitrary code.
(CVE-2020-13671)
It was discovered that Drupal incorrectly sanitized archived filenames. A
remote attacker could possibly use this issue to overwrite arbitrary
files, or execute arbitrary code. (CVE-2020-28948, CVE-2020-28949)
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
Drupal vulnerabilities
vendor_ubuntu·2024-08-27·CVSS 8.8
CVE-2020-13671 [HIGH] Drupal vulnerabilities
Title: Drupal vulnerabilities
Summary: Drupal could be made to crash or run programs if it received
specially crafted network traffic.
It was discovered that Drupal incorrectly sanitized uploaded filenames. A
remote attacker could possibly use this issue to execute arbitrary code.
(CVE-2020-13671)
It was discovered that Drupal incorrectly sanitized archived filenames. A
remote attacker could possibly use this issue to overwrite arbitrary files,
or execute arbitrary code. (CVE-2020-28948, CVE-2020-28949)
Instructions: In general, a standard system update will make all the necessary changes.
CISA
PEAR Archive_Tar Deserialization of Untrusted Data Vulnerability
cisa·2022-08-25·CVSS 7.8
CVE-2020-28949 [HIGH] CWE-74 PEAR Archive_Tar Deserialization of Untrusted Data Vulnerability
Vulnerability: PEAR Archive_Tar Deserialization of Untrusted Data Vulnerability
Affected: PEAR Archive_Tar
PEAR Archive_Tar allows an unserialization attack because phar: is blocked but PHAR: is not blocked. PEAR stands for PHP Extension and Application Repository and it is an open-source framework and distribution system for reusable PHP components with known usage in third-party products such as Drupal Core and Red Hat Linux.
Required Action: Apply updates per vendor instructions.
Notes: https://pear.php.net/bugs/bug.php?id=27002, https://www.drupal.org/sa-core-2020-013, https://access.redhat.com/security/cve/cve-2020-28949; https://nvd.nist.gov/vuln/detail/CVE-2020-28949
Remediation Due Date: 2022-09-15
Ubuntu
PEAR vulnerabilities
vendor_ubuntu·2020-12-01
CVE-2020-28948 PEAR vulnerabilities
Title: PEAR vulnerabilities
Summary: PEAR could be made to run programs as an administrator.
It was discovered that PEAR incorrectly sanitized filenames. A remote
attacker could possibly use this issue to execute arbitrary code.
Instructions: In general, a standard system update will make all the necessary changes.
Drupal
Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2020-013
vendor_drupal·2020-11-25·CVSS 7.8
CVE-2020-28949 [HIGH] Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2020-013
Title: Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2020-013
Vulnerability Type: Arbitrary PHP code execution
Description: The Drupal project uses the PEAR Archive_Tar library. The PEAR Archive_Tar library has released a security update that impacts Drupal. For more information please see: CVE-2020-28948 CVE-2020-28949 Multiple vulnerabilities are possible if Drupal is configured to allow .tar , .tar.gz , .bz2 , or .tlz file uploads and processes them. To mitigate this issue, prevent untrusted users from uploading .tar , .tar.gz , .bz2 , or .tlz files. This is a different issue than SA-CORE-2019-012 . Similar configuration changes may mitigate the problem until you are able to patch.
Solution: Install the latest version: If you are using Drupal 9.0, update to Drupal 9
Red Hat
Archive_Tar: improper filename sanitization leads to file overwrites
vendor_redhat·2020-11-19·CVSS 7.8
CVE-2020-28949 [HIGH] CWE-20 Archive_Tar: improper filename sanitization leads to file overwrites
Archive_Tar: improper filename sanitization leads to file overwrites
Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed.
A flaw was found in the Archive_Tar package. PEAR Archive_Tar could allow a local authenticated attacker to bypass security restrictions caused by a stream-wrapper attack. An attacker can overwrite arbitrary files on the system using a specially-crafted tar archive.
Statement: PHP 7.2, 7.3 and 7.4 are all deprecated. There would be no patches made available for php-pear.
Package: php-pear (Red Hat Enterprise Linux 6) - Out of support scope
Package: php:7.2/php-pear (Red Hat Enterprise Linux 8) - Will not fix
Package: php:7.3/php-pear (
Debian
CVE-2020-28949: php-pear - Archive_Tar through 1.4.10 has :// filename sanitization only to address phar at...
vendor_debian·2020·CVSS 7.8
CVE-2020-28949 [HIGH] CVE-2020-28949: php-pear - Archive_Tar through 1.4.10 has :// filename sanitization only to address phar at...
Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed.
Scope: local
bookworm: resolved (fixed in 1:1.10.9+submodules+notgz-1.1)
bullseye: resolved (fixed in 1:1.10.9+submodules+notgz-1.1)
forky: resolved (fixed in 1:1.10.9+submodules+notgz-1.1)
sid: resolved (fixed in 1:1.10.9+submodules+notgz-1.1)
trixie: resolved (fixed in 1:1.10.9+submodules+notgz-1.1)
No detection rules found.
http://packetstormsecurity.com/files/161095/PEAR-Archive_Tar-Arbitrary-File-Write.htmlhttps://github.com/pear/Archive_Tar/issues/33https://lists.debian.org/debian-lts-announce/2020/11/msg00045.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/42GPGVVFTLJYAKRI75IVB5R45NYQGEUR/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4V35LBRM6HBCXBVCITKQ4UEBTXO2EG7B/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NBYZSHYTIOBK6V7C4N7TP6KIKCRKLVWP/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VJQQYDAOWHD6RDITDRPHFW7WY6BS3V5N/https://security.gentoo.org/glsa/202101-23https://www.debian.org/security/2020/dsa-4817https://www.drupal.org/sa-core-2020-013http://packetstormsecurity.com/files/161095/PEAR-Archive_Tar-Arbitrary-File-Write.htmlhttps://github.com/pear/Archive_Tar/issues/33https://lists.debian.org/debian-lts-announce/2020/11/msg00045.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/42GPGVVFTLJYAKRI75IVB5R45NYQGEUR/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4V35LBRM6HBCXBVCITKQ4UEBTXO2EG7B/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NBYZSHYTIOBK6V7C4N7TP6KIKCRKLVWP/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VJQQYDAOWHD6RDITDRPHFW7WY6BS3V5N/https://security.gentoo.org/glsa/202101-23https://www.debian.org/security/2020/dsa-4817https://www.drupal.org/sa-core-2020-013https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-28949
2020-11-19
Published
2022-08-25
Added to CISA KEV
Exploited in the wild