CVE-2020-36193
published 2021-01-18CVE-2020-36193: Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to…
PriorityP189high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2022-09-15
Exploited in the wild
EPSS
70.59%
99.3th percentile
Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.
Affected
20 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | php-pear | < php-pear 1:1.10.12+submodules+notgz+20210212-1 (bookworm) | php-pear 1:1.10.12+submodules+notgz+20210212-1 (bookworm) |
| debian | php-pear | < php-pear 1:1.10.13+submodules+notgz-1 (bookworm) | php-pear 1:1.10.13+submodules+notgz-1 (bookworm) |
| drupal | core | >= 8.0.0 < 8.9.13 | 8.9.13 |
| drupal | core | >= 9.0.0 < 9.0.11 | 9.0.11 |
| drupal | core | >= 9.1.0 < 9.1.3 | 9.1.3 |
| drupal | drupal | >= 7.0 < 7.78 | 7.78 |
| drupal | drupal | >= 8.9.0 < 8.9.13 | 8.9.13 |
| drupal | drupal | >= 9.0.0 < 9.0.11 | 9.0.11 |
| drupal | drupal | >= 9.1.0 < 9.1.3 | 9.1.3 |
| drupal | drupal_core | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| pear | archive_tar | >= 0 < 1.4.14 | 1.4.14 |
| pear | archive_tar | >= 0 < 1.4.13 | 1.4.13 |
| php | archive_tar | < 1.4.14 | 1.4.14 |
| php | archive_tar | <= 1.4.11 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Flag upload or processing of .tar, .tar.gz, .bz2, or .tlz files through web applications using Archive_Tar (e.g. Drupal); these file types are the attack vector for exploitation. ↗
- →Monitor for directory traversal sequences (/../) in requests targeting Tar.php, indicative of an attacker attempting to write files outside the intended extraction directory via symlink abuse. ↗
- →Detect symbolic links within archive files (tar, tar.gz, bz2, tlz) that resolve to paths outside the extraction target directory — a hallmark of this vulnerability's exploitation technique. ↗
- ·Exploitation requires the application to be configured to accept and process archive file uploads (.tar, .tar.gz, .bz2, .tlz). Systems not accepting these file types are not directly exploitable via this vector. ↗
- ·php-pear versions shipped with RHEL 7.2, 7.3, and RHEL 8 (php:7.2, php:7.3 streams) will NOT receive patches; rh-php73-php-pear in Red Hat Software Collections is also unpatched. Deployments on these platforms remain permanently vulnerable unless mitigated. ↗
- ·CVE-2021-32610 is a distinct but related symlink vulnerability in Archive_Tar (before 1.4.14) where symlinks can refer to targets outside the extracted archive; do not conflate with CVE-2020-36193 when scoping patch coverage. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
ghsa7.8HIGH
osv7.8HIGH
vulncheck7.5HIGH
cisa7.5HIGH
vendor_debian7.8HIGH
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Directory Traversal in Archive_Tar
ghsa·2021-08-09·CVSS 7.5
CVE-2021-32610 [HIGH] CWE-59 Directory Traversal in Archive_Tar
Directory Traversal in Archive_Tar
In Archive_Tar before 1.4.14, symlinks can refer to targets outside of the extracted archive, a different vulnerability than CVE-2020-36193.
OSV
Directory Traversal in Archive_Tar
osv·2021-08-09·CVSS 7.5
CVE-2021-32610 [HIGH] Directory Traversal in Archive_Tar
Directory Traversal in Archive_Tar
In Archive_Tar before 1.4.14, symlinks can refer to targets outside of the extracted archive, a different vulnerability than CVE-2020-36193.
OSV
CVE-2021-32610: In Archive_Tar before 1
osv·2021-07-30·CVSS 7.5
CVE-2021-32610 [HIGH] CVE-2021-32610: In Archive_Tar before 1
In Archive_Tar before 1.4.14, symlinks can refer to targets outside of the extracted archive, a different vulnerability than CVE-2020-36193.
OSV
Directory Traversal in Archive_Tar
osv·2021-04-22·CVSS 7.8
CVE-2020-36193 [HIGH] Directory Traversal in Archive_Tar
Directory Traversal in Archive_Tar
Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.
### :exclamation: Note:
There was an [initial fix](https://github.com/pear/Archive_Tar/commit/cde460582ff389404b5b3ccb59374e9b389de916) for this vulnerability made in version `1.4.12`. That fix introduced a bug which was [fixed in 1.4.13](https://github.com/pear/Archive_Tar/pull/36). Therefore we have set the first-patched-version to `1.4.13` which the earliest working version that avoids this vulnerability.
GHSA
Directory Traversal in Archive_Tar
ghsa·2021-04-22·CVSS 7.8
CVE-2020-36193 [HIGH] CWE-22 Directory Traversal in Archive_Tar
Directory Traversal in Archive_Tar
Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.
### :exclamation: Note:
There was an [initial fix](https://github.com/pear/Archive_Tar/commit/cde460582ff389404b5b3ccb59374e9b389de916) for this vulnerability made in version `1.4.12`. That fix introduced a bug which was [fixed in 1.4.13](https://github.com/pear/Archive_Tar/pull/36). Therefore we have set the first-patched-version to `1.4.13` which the earliest working version that avoids this vulnerability.
OSV
CVE-2020-36193: The Drupal project uses the pear Archive\_Tar library, which has released a security update that impacts Drupal
osv·2021-01-20·CVSS 7.5
CVE-2020-36193 [HIGH] CVE-2020-36193: The Drupal project uses the pear Archive\_Tar library, which has released a security update that impacts Drupal
The Drupal project uses the pear Archive\_Tar library, which has released a security update that impacts Drupal. For more information please see:
* [CVE-2020-36193](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36193)
Exploits may be possible if Drupal is configured to allow `.tar`, `.tar.gz`, `.bz2`, or `.tlz` file uploads and processes them.
OSV
CVE-2020-36193: Tar
osv·2021-01-18·CVSS 7.8
CVE-2020-36193 [HIGH] CVE-2020-36193: Tar
Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.
VulnCheck
PEAR Archive_Tar Improper Link Resolution Vulnerability
vulncheck·2020·CVSS 7.5
CVE-2020-36193 [HIGH] CWE-22 PEAR Archive_Tar Improper Link Resolution Vulnerability
PEAR Archive_Tar Improper Link Resolution Vulnerability
PEAR Archive_Tar Tar.php allows write operations with directory traversal due to inadequate checking of symbolic links. PEAR stands for PHP Extension and Application Repository and it is an open-source framework and distribution system for reusable PHP components with known usage in third-party products such as Drupal Core and Red Hat Linux.
Affected: PEAR Archive_Tar
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://info.securin.io/hubfs/Securin%20Ransomware%20Report%202023.pdf; https://www.trustwave.com/hubfs/Web/Library/Documents_pdf/2024_Trustwave_Public_Sector_Threat
CISA
PEAR Archive_Tar Improper Link Resolution Vulnerability
cisa·2022-08-25·CVSS 7.5
CVE-2020-36193 [HIGH] CWE-22 PEAR Archive_Tar Improper Link Resolution Vulnerability
Vulnerability: PEAR Archive_Tar Improper Link Resolution Vulnerability
Affected: PEAR Archive_Tar
PEAR Archive_Tar Tar.php allows write operations with directory traversal due to inadequate checking of symbolic links. PEAR stands for PHP Extension and Application Repository and it is an open-source framework and distribution system for reusable PHP components with known usage in third-party products such as Drupal Core and Red Hat Linux.
Required Action: Apply updates per vendor instructions.
Notes: https://github.com/pear/Archive_Tar/commit/cde460582ff389404b5b3ccb59374e9b389de916, https://www.drupal.org/sa-core-2021-001, https://access.redhat.com/security/cve/cve-2020-36193; https://nvd.nist.gov/vuln/detail/CVE-2020-36193
Remediation Due Date: 2022-09-15
Red Hat
php-pear: Directory traversal vulnerability
vendor_redhat·2021-07-30·CVSS 7.5
CVE-2021-32610 [HIGH] CWE-22 php-pear: Directory traversal vulnerability
php-pear: Directory traversal vulnerability
In Archive_Tar before 1.4.14, symlinks can refer to targets outside of the extracted archive, a different vulnerability than CVE-2020-36193.
Package: php-pear (Red Hat Enterprise Linux 6) - Out of support scope
Package: php-pear (Red Hat Enterprise Linux 7) - Out of support scope
Package: php:7.3/php-pear (Red Hat Enterprise Linux 8) - Will not fix
Package: php-pear (Red Hat Enterprise Linux 9) - Not affected
Package: rh-php73-php-pear (Red Hat Software Collections) - Will not fix
Ubuntu
PEAR vulnerability
vendor_ubuntu·2021-02-08
CVE-2020-36193 PEAR vulnerability
Title: PEAR vulnerability
Summary: PEAR could be made to overwrite files as the administrator.
It was discovered that PEAR incorrectly handled symbolic links in archives.
A remote attacker could possibly use this issue to execute arbitrary code.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
Archive_Tar: directory traversal due to inadequate checking of symbolic links
vendor_redhat·2021-01-27·CVSS 7.8
CVE-2020-36193 [HIGH] CWE-22 Archive_Tar: directory traversal due to inadequate checking of symbolic links
Archive_Tar: directory traversal due to inadequate checking of symbolic links
Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.
A flaw was found in the Archive_Tar package. Archive_Tar could allow a remote attacker to traverse directories on the system caused by inadequate checking of symbolic links. An attacker could send a specially-crafted URL request to the Tar.php script containing "dot dot" sequences (/../) to modify arbitrary files on the system.
Statement: php-pear 7.2 and 7.3 have been marked End of Life at the time this CVE was released. Therefore no patches would be made available for those versions.
Package: php-pear (Red Hat Enterprise Linux 6) - Out of sup
Drupal
Drupal core - Critical - Third-party libraries - SA-CORE-2021-001
vendor_drupal·2021-01-20·CVSS 7.5
CVE-2020-36193 [HIGH] Drupal core - Critical - Third-party libraries - SA-CORE-2021-001
Title: Drupal core - Critical - Third-party libraries - SA-CORE-2021-001
Vulnerability Type: Third-party libraries
Description: The Drupal project uses the pear Archive_Tar library, which has released a security update that impacts Drupal. For more information please see: CVE-2020-36193 Exploits may be possible if Drupal is configured to allow .tar , .tar.gz , .bz2 , or .tlz file uploads and processes them.
Solution: Install the latest version: If you are using Drupal 9.1, update to Drupal 9.1.3 . If you are using Drupal 9.0, update to Drupal 9.0.11 . If you are using Drupal 8.9, update to Drupal 8.9.13 . If you are using Drupal 7, update to Drupal 7.78 . Versions of Drupal 8 prior to 8.9.x are end-of-life and do not receive security coverage. Disable uploads of .tar , .tar.gz , .bz2 ,
Debian
CVE-2021-32610: php-pear - In Archive_Tar before 1.4.14, symlinks can refer to targets outside of the extra...
vendor_debian·2021·CVSS 7.5
CVE-2021-32610 [HIGH] CVE-2021-32610: php-pear - In Archive_Tar before 1.4.14, symlinks can refer to targets outside of the extra...
In Archive_Tar before 1.4.14, symlinks can refer to targets outside of the extracted archive, a different vulnerability than CVE-2020-36193.
Scope: local
bookworm: resolved (fixed in 1:1.10.13+submodules+notgz-1)
bullseye: open
forky: resolved (fixed in 1:1.10.13+submodules+notgz-1)
sid: resolved (fixed in 1:1.10.13+submodules+notgz-1)
trixie: resolved (fixed in 1:1.10.13+submodules+notgz-1)
Debian
CVE-2020-36193: php-pear - Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Tra...
vendor_debian·2020·CVSS 7.8
CVE-2020-36193 [HIGH] CVE-2020-36193: php-pear - Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Tra...
Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.
Scope: local
bookworm: resolved (fixed in 1:1.10.12+submodules+notgz+20210212-1)
bullseye: resolved (fixed in 1:1.10.12+submodules+notgz+20210212-1)
forky: resolved (fixed in 1:1.10.12+submodules+notgz+20210212-1)
sid: resolved (fixed in 1:1.10.12+submodules+notgz+20210212-1)
trixie: resolved (fixed in 1:1.10.12+submodules+notgz+20210212-1)
No detection rules found.
No public exploits indexed.
https://github.com/pear/Archive_Tar/commit/cde460582ff389404b5b3ccb59374e9b389de916https://lists.debian.org/debian-lts-announce/2021/01/msg00018.htmlhttps://lists.debian.org/debian-lts-announce/2021/04/msg00007.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/42GPGVVFTLJYAKRI75IVB5R45NYQGEUR/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FOZNK4FIIV7FSFCJNNFWMJZTTV7NFJV2/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VJQQYDAOWHD6RDITDRPHFW7WY6BS3V5N/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YKD5WEFA4WT6AVTMRAYBNXZNLWZHM7FH/https://security.gentoo.org/glsa/202101-23https://www.debian.org/security/2021/dsa-4894https://www.drupal.org/sa-core-2021-001https://github.com/pear/Archive_Tar/commit/cde460582ff389404b5b3ccb59374e9b389de916https://lists.debian.org/debian-lts-announce/2021/01/msg00018.htmlhttps://lists.debian.org/debian-lts-announce/2021/04/msg00007.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/42GPGVVFTLJYAKRI75IVB5R45NYQGEUR/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FOZNK4FIIV7FSFCJNNFWMJZTTV7NFJV2/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VJQQYDAOWHD6RDITDRPHFW7WY6BS3V5N/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YKD5WEFA4WT6AVTMRAYBNXZNLWZHM7FH/https://security.gentoo.org/glsa/202101-23https://www.debian.org/security/2021/dsa-4894https://www.drupal.org/sa-core-2021-001https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-36193
2021-01-18
Published
2022-08-25
Added to CISA KEV
Exploited in the wild