CVE-2021-32610

CWE-59 CWE-22 — Path Traversal11 documents8 sources

Severity

7.1HIGH

EPSS

3.0%

top 13.39%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

PHP Archive TAR Drupal Core Pear Archive TAR +2 more

Timeline

PublishedJul 30

Latest updateAug 9

Description

In Archive_Tar before 1.4.14, symlinks can refer to targets outside of the extracted archive, a different vulnerability than CVE-2020-36193.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 1.8 | Impact: 5.2

Affected Packages4 packages

▶NVDphp/archive_tar< 1.4.14

▶Packagistpear/archive_tar< 1.4.14

▶Packagistdrupal/core8.0.0 — 8.9.17+2

▶Debianphp-pear< 1:1.10.13+submodules+notgz-1+2

Also affects: Debian Linux 9.0, Fedora 33, 34, 35

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Directory Traversal in Archive_Tar↗2021-08-09

▶

OSV

Directory Traversal in Archive_Tar↗2021-08-09

▶

OSV

CVE-2021-32610: In Archive_Tar before 1↗2021-07-30

▶

CVEList

CVE-2021-32610: In Archive_Tar before 1↗2021-07-27

▶

OSV

CVE-2021-32610: The Drupal project uses the pear Archive\_Tar library, which has released a security update that impacts Drupal↗2021-07-21

▶

📋Vendor Advisories

Ubuntu

PEAR vulnerability↗2021-08-04

▶

Red Hat

php-pear: Directory traversal vulnerability↗2021-07-30

▶

Ubuntu

PEAR vulnerability↗2021-07-29

▶

Drupal

Drupal core - Critical - Drupal core - Critical - Third-party libraries - SA-CORE-2021-004↗2021-07-21

▶

Debian

CVE-2021-32610: php-pear - In Archive_Tar before 1.4.14, symlinks can refer to targets outside of the extra...↗2021

▶