CVE-2021-32610
published 2021-07-30CVE-2021-32610: In Archive_Tar before 1.4.14, symlinks can refer to targets outside of the extracted archive, a different vulnerability than CVE-2020-36193.
PriorityP351high7.1CVSS 3.1
AVLACLPRLUINSUCHIHAN
EPSS
73.38%
99.4th percentile
In Archive_Tar before 1.4.14, symlinks can refer to targets outside of the extracted archive, a different vulnerability than CVE-2020-36193.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | php-pear | < php-pear 1:1.10.13+submodules+notgz-1 (bookworm) | php-pear 1:1.10.13+submodules+notgz-1 (bookworm) |
| drupal | core | >= 8.0.0 < 8.9.17 | 8.9.17 |
| drupal | core | >= 9.1.0 < 9.1.11 | 9.1.11 |
| drupal | core | >= 9.2.0 < 9.2.2 | 9.2.2 |
| drupal | drupal_core | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| pear | archive_tar | >= 0 < 1.4.14 | 1.4.14 |
| php | archive_tar | < 1.4.14 | 1.4.14 |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerable component: Archive_Tar versions before 1.4.14 allow symlinks in extracted archives to refer to targets outside the archive directory (path traversal via symlink) ↗
- →Attack vector targets extraction of tar archives (.tar, .tar.gz, .bz2, .tlz) from untrusted sources using the Archive_Tar library — monitor for symlink creation during archive extraction pointing outside the destination directory ↗
- →Drupal core itself is NOT vulnerable because it disables symlink support in Archive_Tar — focus detection on contrib/custom code that calls Archive_Tar without disabling symlinks ↗
- →Impact: attacker can overwrite arbitrary files with administrator-level privileges via symlink traversal during archive extraction ↗
- ·Archive_Tar symlink following is the root cause — ensure the library is configured to disallow symlinks (as Drupal core does) when extracting archives from untrusted sources ↗
- ·Fixed version threshold: Archive_Tar 1.4.14 resolves the issue; Debian fix is in php-pear 1:1.10.13+submodules+notgz-1 ↗
CVSS provenance
nvdv3.17.1HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
nvdv2.03.6LOWAV:L/AC:L/Au:N/C:P/I:P/A:N
ghsa7.5HIGH
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
PEAR vulnerability
vendor_ubuntu·2021-08-04
CVE-2021-32610 PEAR vulnerability
Title: PEAR vulnerability
Summary: PEAR could be made to overwrite files as the administrator.
USN-5027-1 fixed a vulnerability in PEAR. This update provides
the corresponding update for Ubuntu 16.04 ESM.
Original advisory details:
It was discovered that PEAR incorrectly handled symbolic links in archives.
A remote attacker could possibly use this issue to execute arbitrary code.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
php-pear: Directory traversal vulnerability
vendor_redhat·2021-07-30·CVSS 7.5
CVE-2021-32610 [HIGH] CWE-22 php-pear: Directory traversal vulnerability
php-pear: Directory traversal vulnerability
In Archive_Tar before 1.4.14, symlinks can refer to targets outside of the extracted archive, a different vulnerability than CVE-2020-36193.
Package: php-pear (Red Hat Enterprise Linux 6) - Out of support scope
Package: php-pear (Red Hat Enterprise Linux 7) - Out of support scope
Package: php:7.3/php-pear (Red Hat Enterprise Linux 8) - Will not fix
Package: php-pear (Red Hat Enterprise Linux 9) - Not affected
Package: rh-php73-php-pear (Red Hat Software Collections) - Will not fix
Ubuntu
PEAR vulnerability
vendor_ubuntu·2021-07-29
CVE-2021-32610 PEAR vulnerability
Title: PEAR vulnerability
Summary: PEAR could be made to overwrite files as the administrator.
It was discovered that PEAR incorrectly handled symbolic links in archives.
A remote attacker could possibly use this issue to execute arbitrary code.
Instructions: In general, a standard system update will make all the necessary changes.
Drupal
Drupal core - Critical - Drupal core - Critical - Third-party libraries - SA-CORE-2021-004
vendor_drupal·2021-07-21
CVE-2021-32610 [HIGH] Drupal core - Critical - Drupal core - Critical - Third-party libraries - SA-CORE-2021-004
Title: Drupal core - Critical - Drupal core - Critical - Third-party libraries - SA-CORE-2021-004
Vulnerability Type: Drupal core - Critical - Third-party libraries
Description: The Drupal project uses the pear Archive_Tar library, which has released a security update that impacts Drupal. The vulnerability is mitigated by the fact that Drupal core's use of the Archive_Tar library is not vulnerable, as it does not permit symlinks. Exploitation may be possible if contrib or custom code uses the library to extract tar archives (for example .tar, .tar.gz, .bz2, or .tlz) which come from a potentially untrusted source. This advisory is not covered by Drupal Steward .
Solution: Install the latest version: If you are using Drupal 9.2, update to Drupal 9.2.2 . If you are using Drupal 9.1, update
Debian
CVE-2021-32610: php-pear - In Archive_Tar before 1.4.14, symlinks can refer to targets outside of the extra...
vendor_debian·2021·CVSS 7.5
CVE-2021-32610 [HIGH] CVE-2021-32610: php-pear - In Archive_Tar before 1.4.14, symlinks can refer to targets outside of the extra...
In Archive_Tar before 1.4.14, symlinks can refer to targets outside of the extracted archive, a different vulnerability than CVE-2020-36193.
Scope: local
bookworm: resolved (fixed in 1:1.10.13+submodules+notgz-1)
bullseye: open
forky: resolved (fixed in 1:1.10.13+submodules+notgz-1)
sid: resolved (fixed in 1:1.10.13+submodules+notgz-1)
trixie: resolved (fixed in 1:1.10.13+submodules+notgz-1)
GHSA
Directory Traversal in Archive_Tar
ghsa·2021-08-09·CVSS 7.5
CVE-2021-32610 [HIGH] CWE-59 Directory Traversal in Archive_Tar
Directory Traversal in Archive_Tar
In Archive_Tar before 1.4.14, symlinks can refer to targets outside of the extracted archive, a different vulnerability than CVE-2020-36193.
OSV
Directory Traversal in Archive_Tar
osv·2021-08-09·CVSS 7.5
CVE-2021-32610 [HIGH] Directory Traversal in Archive_Tar
Directory Traversal in Archive_Tar
In Archive_Tar before 1.4.14, symlinks can refer to targets outside of the extracted archive, a different vulnerability than CVE-2020-36193.
OSV
CVE-2021-32610: In Archive_Tar before 1
osv·2021-07-30·CVSS 7.5
CVE-2021-32610 [HIGH] CVE-2021-32610: In Archive_Tar before 1
In Archive_Tar before 1.4.14, symlinks can refer to targets outside of the extracted archive, a different vulnerability than CVE-2020-36193.
OSV
CVE-2021-32610: The Drupal project uses the pear Archive\_Tar library, which has released a security update that impacts Drupal
osv·2021-07-21
CVE-2021-32610 CVE-2021-32610: The Drupal project uses the pear Archive\_Tar library, which has released a security update that impacts Drupal
The Drupal project uses the pear Archive\_Tar library, which has released a security update that impacts Drupal.
The vulnerability is mitigated by the fact that Drupal core's use of the Archive\_Tar library is not vulnerable, as it does not permit symlinks.
Exploitation may be possible if contrib or custom code uses the library to extract tar archives (for example .tar, .tar.gz, .bz2, or .tlz) which come from a potentially untrusted source.
This advisory is not covered by [Drupal Steward](/steward).
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/pear/Archive_Tar/commit/7789ebb2f34f9e4adb3a4152ad0d1548930a9755https://github.com/pear/Archive_Tar/commit/b5832439b1f37331fb4f87e67fe4fhttps://github.com/pear/Archive_Tar/releases/tag/1.4.14https://lists.debian.org/debian-lts-announce/2021/07/msg00023.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/42GPGVVFTLJYAKRI75IVB5R45NYQGEUR/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CAODVMHGL5MHQWQAQTXQ7G7OE3VQZ7LS/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G5LTY6COQYNMMHQJ3QIOJHEWCKD4XDFH/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VJQQYDAOWHD6RDITDRPHFW7WY6BS3V5N/https://www.drupal.org/sa-core-2021-004https://github.com/pear/Archive_Tar/commit/7789ebb2f34f9e4adb3a4152ad0d1548930a9755https://github.com/pear/Archive_Tar/commit/b5832439b1f37331fb4f87e67fe4fhttps://github.com/pear/Archive_Tar/releases/tag/1.4.14https://lists.debian.org/debian-lts-announce/2021/07/msg00023.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/42GPGVVFTLJYAKRI75IVB5R45NYQGEUR/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CAODVMHGL5MHQWQAQTXQ7G7OE3VQZ7LS/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G5LTY6COQYNMMHQJ3QIOJHEWCKD4XDFH/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VJQQYDAOWHD6RDITDRPHFW7WY6BS3V5N/https://www.drupal.org/sa-core-2021-004
2021-07-30
Published