VYPR

Packagist (Composer) package

pear/archive_tar

pkg:composer/pear/archive_tar

Vulnerabilities (6)

  • CVE-2021-32610Jul 27, 2021
    affected < 1.4.14fixed 1.4.14

    In Archive_Tar before 1.4.14, symlinks can refer to targets outside of the extracted archive, a different vulnerability than CVE-2020-36193.

  • CVE-2020-36193KEVJan 18, 2021
    affected < 1.4.13fixed 1.4.13

    Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.

  • CVE-2020-28948Nov 19, 2020
    affected < 1.4.11fixed 1.4.11

    Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked.

  • CVE-2020-28949KEVNov 19, 2020
    affected < 1.4.11fixed 1.4.11

    Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed.

  • CVE-2018-1000888Dec 27, 2018
    affected < 1.4.4fixed 1.4.4

    PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the Archive_Tar class. There are several file operations with `$v_header['filename']` as parameter (such as file_exists, is_file, is_dir, etc). When extract is called without a specific prefix

  • CVE-2006-0931Feb 28, 2006
    affected >= 1.2, < 1.3.2fixed 1.3.2

    Directory traversal vulnerability in PEAR::Archive_Tar 1.2, and other versions before 1.3.2, allows remote attackers to create and overwrite arbitrary files via certain crafted pathnames in a TAR archive.