CVE-2020-28949

Known Exploited (CISA KEV)HIGH

7.8

CVSS Severity Score

EPSS Score42.5700%

EPSS Percentile98.81th

Published2020年11月19日

Last Modified2025年11月7日

Vulnerability Description

Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed.

Affected Platforms (CPE)

📦

Php

Archive Tar

< 1.4.12

💻

Debian

Debian Linux

= 9.0

💻

Debian

Debian Linux

= 10.0

💻

Fedoraproject

Fedora

= 32

💻

Fedoraproject

Fedora

= 33

💻

Fedoraproject

Fedora

= 34

💻

Fedoraproject

Fedora

= 35

📦

Drupal

>= 7.0 and < 7.75

📦

Drupal

>= 8.0.0 and < 8.9.10

📦

Drupal

>= 8.8.0 and < 8.8.12

📦

Drupal

>= 9.0.0 and < 9.0.9

References & Advisories

🔗 http://packetstormsecurity.com/files/161095/PEAR-Archive_Tar-Arbitrary-File-Write.html

🔗 https://github.com/pear/Archive_Tar/issues/33

🔗 https://lists.debian.org/debian-lts-announce/2020/11/msg00045.html

🔗 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/42GPGVVFTLJYAKRI75IVB5R45NYQGEUR/

🔗 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4V35LBRM6HBCXBVCITKQ4UEBTXO2EG7B/

🔗 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437/

🔗 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT/

🔗 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NBYZSHYTIOBK6V7C4N7TP6KIKCRKLVWP/

Vulnerability Description

Affected Platforms (CPE)

Archive Tar

Debian Linux

Debian Linux

Fedora

Fedora

Fedora

Fedora

Drupal

Drupal

Drupal

Drupal

References & Advisories

相关漏洞威胁