CVE-2020-28948

nvd nist

Published: Nov 19, 2020Modified: Nov 21, 2024

7.8

Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked.

Affected (11)

Products: Php: Archive Tar · Debian: Debian Linux · Fedoraproject: Fedora · +1 more

Show all products

Php: Archive Tar · Debian: Debian Linux · Fedoraproject: Fedora · Drupal: Drupal

1 product

1 product

1 product

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Php Archive Tar	Before 1.4.11

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 10.0
Debian Debian Linux	Version 9.0

Configuration C

4 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 32
Fedoraproject Fedora	Version 33
Fedoraproject Fedora	Version 34
Fedoraproject Fedora	Version 35

Configuration D

4 vulnerable

Vulnerable Software	Affected Versions
Drupal Drupal	From 7.0 to 7.75
Drupal Drupal	From 8.0.0 to 8.9.10
Drupal Drupal	From 8.8.0 to 8.8.12
Drupal Drupal	From 9.0.0 to 9.0.9

Related CWEs

CWE-502

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References (22)

https://github.com/pear/Archive_Tar/issues/33

Source: cve@mitre.org

ExploitIssue TrackingThird Party Advisory

https://lists.debian.org/debian-lts-announce/2020/11/msg00045.html

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/42GPGVVFTLJYAKRI75IVB5R45NYQGEUR/

Source: cve@mitre.org

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4V35LBRM6HBCXBVCITKQ4UEBTXO2EG7B/

Source: cve@mitre.org

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437/

Source: cve@mitre.org

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT/

Source: cve@mitre.org

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NBYZSHYTIOBK6V7C4N7TP6KIKCRKLVWP/

Source: cve@mitre.org

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VJQQYDAOWHD6RDITDRPHFW7WY6BS3V5N/

Source: cve@mitre.org

https://security.gentoo.org/glsa/202101-23

Source: cve@mitre.org

Third Party Advisory

https://www.debian.org/security/2020/dsa-4817

Source: cve@mitre.org

Third Party Advisory

https://www.drupal.org/sa-core-2020-013

Source: cve@mitre.org

Third Party Advisory

https://github.com/pear/Archive_Tar/issues/33