CyberSec.Space Logo
Back to CVE Browser

CVE-2020-28949

Known Exploited (CISA KEV)HIGH
7.8
CVSS Severity Score
EPSS Score42.5700%
EPSS Percentile98.81th
PublishedNov 19, 2020
Last ModifiedNov 7, 2025

Vulnerability Description

Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed.

Affected Platforms (CPE)

πŸ“¦
Php

Archive Tar

< 1.4.12
πŸ’»
Debian

Debian Linux

= 9.0
πŸ’»
Debian

Debian Linux

= 10.0
πŸ’»
Fedoraproject

Fedora

= 32
πŸ’»
Fedoraproject

Fedora

= 33
πŸ’»
Fedoraproject

Fedora

= 34
πŸ’»
Fedoraproject

Fedora

= 35
πŸ“¦
Drupal

Drupal

>= 7.0 and < 7.75
πŸ“¦
Drupal

Drupal

>= 8.0.0 and < 8.9.10
πŸ“¦
Drupal

Drupal

>= 8.8.0 and < 8.8.12
πŸ“¦
Drupal

Drupal

>= 9.0.0 and < 9.0.9

References & Advisories

πŸ”— http://packetstormsecurity.com/files/161095/PEAR-Archive_Tar-Arbitrary-File-Write.html
πŸ”— https://github.com/pear/Archive_Tar/issues/33
πŸ”— https://lists.debian.org/debian-lts-announce/2020/11/msg00045.html
πŸ”— https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/42GPGVVFTLJYAKRI75IVB5R45NYQGEUR/
πŸ”— https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4V35LBRM6HBCXBVCITKQ4UEBTXO2EG7B/
πŸ”— https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437/
πŸ”— https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT/
πŸ”— https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NBYZSHYTIOBK6V7C4N7TP6KIKCRKLVWP/

Related Vulnerabilities

CVE-2008-714410.0

Multiple unspecified vulnerabilities in RARLAB WinRAR before 3.71 have unknown impact and attack vectors related to crafted (1) AC...

CVE-2007-45599.8

Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assi...

CVE-2019-198269.8

The Views Dynamic Fields module through 7.x-1.0-alpha4 for Drupal makes insecure unserialize calls in handlers/views_handler_filte...

CVE-2021-381979.8

unarr.go in go-unarr (aka Go bindings for unarr) 0.1.1 allows Directory Traversal via ../ in a pathname within a TAR archive.