CyberSec.Space Logo
Back to CVE Browser

CVE-2020-36193

Known Exploited (CISA KEV)HIGH
7.5
CVSS Severity Score
EPSS Score56.0900%
EPSS Percentile97.66th
PublishedJan 18, 2021
Last ModifiedNov 7, 2025

Vulnerability Description

Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.

Affected Platforms (CPE)

πŸ“¦
Php

Archive Tar

<= 1.4.11
πŸ’»
Fedoraproject

Fedora

= 32
πŸ’»
Fedoraproject

Fedora

= 33
πŸ’»
Fedoraproject

Fedora

= 34
πŸ’»
Fedoraproject

Fedora

= 35
πŸ’»
Debian

Debian Linux

= 9.0
πŸ’»
Debian

Debian Linux

= 10.0
πŸ“¦
Drupal

Drupal

>= 7.0 and < 7.78
πŸ“¦
Drupal

Drupal

>= 8.9.0 and < 8.9.13
πŸ“¦
Drupal

Drupal

>= 9.0.0 and < 9.0.11
πŸ“¦
Drupal

Drupal

>= 9.1.0 and < 9.1.3

References & Advisories

πŸ”— https://github.com/pear/Archive_Tar/commit/cde460582ff389404b5b3ccb59374e9b389de916
πŸ”— https://lists.debian.org/debian-lts-announce/2021/01/msg00018.html
πŸ”— https://lists.debian.org/debian-lts-announce/2021/04/msg00007.html
πŸ”— https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/42GPGVVFTLJYAKRI75IVB5R45NYQGEUR/
πŸ”— https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FOZNK4FIIV7FSFCJNNFWMJZTTV7NFJV2/
πŸ”— https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VJQQYDAOWHD6RDITDRPHFW7WY6BS3V5N/
πŸ”— https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YKD5WEFA4WT6AVTMRAYBNXZNLWZHM7FH/
πŸ”— https://security.gentoo.org/glsa/202101-23

Related Vulnerabilities

CVE-2008-714410.0

Multiple unspecified vulnerabilities in RARLAB WinRAR before 3.71 have unknown impact and attack vectors related to crafted (1) AC...

CVE-2007-45599.8

Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assi...

CVE-2019-198269.8

The Views Dynamic Fields module through 7.x-1.0-alpha4 for Drupal makes insecure unserialize calls in handlers/views_handler_filte...

CVE-2021-381979.8

unarr.go in go-unarr (aka Go bindings for unarr) 0.1.1 allows Directory Traversal via ../ in a pathname within a TAR archive.