cbcvebase.
CVE-2021-32610
published 2021-07-30

CVE-2021-32610: In Archive_Tar before 1.4.14, symlinks can refer to targets outside of the extracted archive, a different vulnerability than CVE-2020-36193.

PriorityP351high7.1CVSS 3.1
AVLACLPRLUINSUCHIHAN
EPSS
73.38%
99.4th percentile
In Archive_Tar before 1.4.14, symlinks can refer to targets outside of the extracted archive, a different vulnerability than CVE-2020-36193.

Affected

11 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debianphp-pear< php-pear 1:1.10.13+submodules+notgz-1 (bookworm)php-pear 1:1.10.13+submodules+notgz-1 (bookworm)
drupalcore>= 8.0.0 < 8.9.178.9.17
drupalcore>= 9.1.0 < 9.1.119.1.11
drupalcore>= 9.2.0 < 9.2.29.2.2
drupaldrupal_core
fedoraprojectfedora
fedoraprojectfedora
fedoraprojectfedora
peararchive_tar>= 0 < 1.4.141.4.14
phparchive_tar< 1.4.141.4.14

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerable component: Archive_Tar versions before 1.4.14 allow symlinks in extracted archives to refer to targets outside the archive directory (path traversal via symlink)
  • Attack vector targets extraction of tar archives (.tar, .tar.gz, .bz2, .tlz) from untrusted sources using the Archive_Tar library — monitor for symlink creation during archive extraction pointing outside the destination directory
  • Drupal core itself is NOT vulnerable because it disables symlink support in Archive_Tar — focus detection on contrib/custom code that calls Archive_Tar without disabling symlinks
  • Impact: attacker can overwrite arbitrary files with administrator-level privileges via symlink traversal during archive extraction
  • ·Archive_Tar symlink following is the root cause — ensure the library is configured to disallow symlinks (as Drupal core does) when extracting archives from untrusted sources
  • ·Fixed version threshold: Archive_Tar 1.4.14 resolves the issue; Debian fix is in php-pear 1:1.10.13+submodules+notgz-1

CVSS provenance

nvdv3.17.1HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
nvdv2.03.6LOWAV:L/AC:L/Au:N/C:P/I:P/A:N
ghsa7.5HIGH
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.