← back
CVE-2020-28949

CVE-2020-28949

CVSS 7.8 HIGHEPSS 84.6%● KEV
In short

Archive_Tar library fails to properly block dangerous file operations when extracting archives. An attacker can use special filenames to overwrite existing files on the system during extraction.

Technical detail

Archive_Tar versions up to 1.4.10 implement incomplete filename sanitization that only blocks phar:// stream wrappers, leaving other protocols (e.g., file://) exploitable. During archive extraction, a crafted filename with stream wrapper syntax allows arbitrary file write/overwrite via path traversal. Requires user interaction to extract a malicious archive.

Summary generated and translated by AI from the official description.
Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed.
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected products
n/a · n/a
public PoCs found1
cve_referencepacketstormsecurity.com/files/161095/PEAR-Archive_Tar-Arbitrary-File-Write.htmlunverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://packetstormsecurity.com/files/161095/PEAR-Archive_Tar-Arbitrary-File-Write.htmlhttps://github.com/pear/Archive_Tar/issues/33https://lists.debian.org/debian-lts-announce/2020/11/msg00045.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/42GPGVVFTLJYAKRI75IVB5R45NYQGEUR/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4V35LBRM6HBCXBVCITKQ4UEBTXO2EG7B/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NBYZSHYTIOBK6V7C4N7TP6KIKCRKLVWP/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VJQQYDAOWHD6RDITDRPHFW7WY6BS3V5N/https://security.gentoo.org/glsa/202101-23https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-28949https://www.debian.org/security/2020/dsa-4817