CVE-2020-36193
CVE-2020-36193
In short
Archive_Tar library fails to properly validate symbolic links when extracting tar files, allowing attackers to write files outside the intended directory. This could let someone overwrite important system files or inject malicious code.
Technical detail
Archive_Tar versions ≤1.4.11 are vulnerable to directory traversal via inadequate symbolic link validation during tar extraction. An attacker with a crafted tar archive can exploit this to write files to arbitrary locations on the filesystem, bypassing intended extraction boundaries and potentially compromising system integrity.
Summary generated and translated by AI from the official description.
Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Affected products
n/a · n/aWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://github.com/pear/Archive_Tar/commit/cde460582ff389404b5b3ccb59374e9b389de916https://lists.debian.org/debian-lts-announce/2021/01/msg00018.htmlhttps://lists.debian.org/debian-lts-announce/2021/04/msg00007.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/42GPGVVFTLJYAKRI75IVB5R45NYQGEUR/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FOZNK4FIIV7FSFCJNNFWMJZTTV7NFJV2/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VJQQYDAOWHD6RDITDRPHFW7WY6BS3V5N/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YKD5WEFA4WT6AVTMRAYBNXZNLWZHM7FH/https://security.gentoo.org/glsa/202101-23https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-36193https://www.debian.org/security/2021/dsa-4894https://www.drupal.org/sa-core-2021-001