⚠ Actively exploited
Added to CISA KEV on 2022-08-25. Federal agencies required to patch by 2022-09-15. Required action: Apply updates per vendor instructions..

CVE-2020-36193

CWE-22Path TraversalCWE-5914 documents10 sources
Severity
7.5HIGH
EPSS
71.1%
top 1.29%
CISA KEV
KEV
Added 2022-08-25
Due 2022-09-15
Exploit
Exploited in wild
Active exploitation observed
Affected products
6
Drupal DrupalDrupal CorePear Archive TAR+3 more
Timeline
PublishedJan 18
KEV addedAug 25
KEV dueSep 15
CISA Required Action: Apply updates per vendor instructions.

Description

Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

Packagistdrupal/core8.0.08.9.13+2
NVDdrupal/drupal7.07.78+3
Packagistpear/archive_tar< 1.4.13
Debianphp-pear< 1:1.10.12+submodules+notgz+20210212-1+3
NVDphp/archive_tar1.4.11

Also affects: Debian Linux 10.0, 9.0, Fedora 32, 33, 34, 35

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

7
GHSA
Directory Traversal in Archive_Tar2021-08-09
OSV
Directory Traversal in Archive_Tar2021-04-22
GHSA
Directory Traversal in Archive_Tar2021-04-22
OSV
CVE-2020-36193: The Drupal project uses the pear Archive\_Tar library, which has released a security update that impacts Drupal2021-01-20
OSV
CVE-2020-36193: Tar2021-01-18

📋Vendor Advisories

6
CISA
PEAR Archive_Tar Improper Link Resolution Vulnerability2022-08-25
Red Hat
php-pear: Directory traversal vulnerability2021-07-30
Ubuntu
PEAR vulnerability2021-02-08
Red Hat
Archive_Tar: directory traversal due to inadequate checking of symbolic links2021-01-27
Drupal
Drupal core - Critical - Third-party libraries - SA-CORE-2021-0012021-01-20
CVE-2020-36193 (HIGH CVSS 7.5) | Tar.php in Archive_Tar through 1.4. | cvebase.io