cbcvebase.
CVE-2020-28949
published 2020-11-19

CVE-2020-28949: Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite…

PriorityP188high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-09-15
Exploited in the wild
EPSS
84.55%
99.7th percentile
Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed.

Affected

18 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
debianphp-pear< php-pear 1:1.10.9+submodules+notgz-1.1 (bookworm)php-pear 1:1.10.9+submodules+notgz-1.1 (bookworm)
drupalcore>= 7.0.0 < 7.757.75
drupalcore>= 8.0.0 < 8.8.128.8.12
drupalcore>= 8.9.0 < 8.9.108.9.10
drupalcore>= 9.0.0 < 9.0.99.0.9
drupaldrupal>= 7.0 < 7.757.75
drupaldrupal>= 8.0.0 < 8.9.108.9.10
drupaldrupal>= 8.8.0 < 8.8.128.8.12
drupaldrupal>= 9.0.0 < 9.0.99.0.9
drupaldrupal_core
fedoraprojectfedora
fedoraprojectfedora
fedoraprojectfedora
fedoraprojectfedora
peararchive_tar>= 0 < 1.4.111.4.11
phparchive_tar< 1.4.121.4.12

Detection & IOCsextracted from sources · hover to see the quote

filenamefile://
otherPHAR: (uppercase, bypasses phar: block)
  • Flag tar archive uploads (.tar, .tar.gz, .bz2, .tlz) containing filenames with stream-wrapper prefixes (e.g., file://, phar://, PHAR://) as malicious; these are the attack vectors for CVE-2020-28949.
  • Detect case-variant stream-wrapper bypass: Archive_Tar blocks lowercase 'phar:' but not uppercase 'PHAR:', so inspect filenames inside archives for any case-insensitive :// pattern.
  • Monitor for arbitrary file writes on disk by the PHP process user following tar archive extraction, particularly to sensitive paths, as the exploit writes files with the permissions of the PHP-running user.
  • The Metasploit module 'exploits/multi/fileformat/archive_tar_arb_file_write' targets Archive_Tar <= 1.4.10; alert on use of this module or crafted tar files matching its output pattern.
  • ·Drupal installations are only vulnerable if configured to allow untrusted users to upload .tar, .tar.gz, .bz2, or .tlz files; disabling these upload types mitigates the risk without patching.
  • ·Red Hat has marked php-pear as 'Will not fix' across RHEL 8 (php:7.2, php:7.3) and Red Hat Software Collections (rh-php73), meaning systems running these packages remain permanently exposed unless mitigated at the application layer.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
ghsa7.8HIGH
osv8.8HIGH
vulncheck7.8HIGH
cisa7.8HIGH
vendor_ubuntu8.8HIGH
vendor_debian7.8HIGH
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.