cbcvebase.
CVE-2020-36193
published 2021-01-18

CVE-2020-36193: Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to…

PriorityP189high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2022-09-15
Exploited in the wild
EPSS
70.59%
99.3th percentile
Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.

Affected

20 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
debianphp-pear< php-pear 1:1.10.12+submodules+notgz+20210212-1 (bookworm)php-pear 1:1.10.12+submodules+notgz+20210212-1 (bookworm)
debianphp-pear< php-pear 1:1.10.13+submodules+notgz-1 (bookworm)php-pear 1:1.10.13+submodules+notgz-1 (bookworm)
drupalcore>= 8.0.0 < 8.9.138.9.13
drupalcore>= 9.0.0 < 9.0.119.0.11
drupalcore>= 9.1.0 < 9.1.39.1.3
drupaldrupal>= 7.0 < 7.787.78
drupaldrupal>= 8.9.0 < 8.9.138.9.13
drupaldrupal>= 9.0.0 < 9.0.119.0.11
drupaldrupal>= 9.1.0 < 9.1.39.1.3
drupaldrupal_core
fedoraprojectfedora
fedoraprojectfedora
fedoraprojectfedora
fedoraprojectfedora
peararchive_tar>= 0 < 1.4.141.4.14
peararchive_tar>= 0 < 1.4.131.4.13
phparchive_tar< 1.4.141.4.14
phparchive_tar<= 1.4.11

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://github.com/pear/Archive_Tar/commit/cde460582ff389404b5b3ccb59374e9b389de916
pathTar.php
  • Flag upload or processing of .tar, .tar.gz, .bz2, or .tlz files through web applications using Archive_Tar (e.g. Drupal); these file types are the attack vector for exploitation.
  • Monitor for directory traversal sequences (/../) in requests targeting Tar.php, indicative of an attacker attempting to write files outside the intended extraction directory via symlink abuse.
  • Detect symbolic links within archive files (tar, tar.gz, bz2, tlz) that resolve to paths outside the extraction target directory — a hallmark of this vulnerability's exploitation technique.
  • ·Exploitation requires the application to be configured to accept and process archive file uploads (.tar, .tar.gz, .bz2, .tlz). Systems not accepting these file types are not directly exploitable via this vector.
  • ·php-pear versions shipped with RHEL 7.2, 7.3, and RHEL 8 (php:7.2, php:7.3 streams) will NOT receive patches; rh-php73-php-pear in Red Hat Software Collections is also unpatched. Deployments on these platforms remain permanently vulnerable unless mitigated.
  • ·CVE-2021-32610 is a distinct but related symlink vulnerability in Archive_Tar (before 1.4.14) where symlinks can refer to targets outside the extracted archive; do not conflate with CVE-2020-36193 when scoping patch coverage.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
ghsa7.8HIGH
osv7.8HIGH
vulncheck7.5HIGH
cisa7.5HIGH
vendor_debian7.8HIGH
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.