Packagist (Composer) package
pear/archive_tar
pkg:composer/pear/archive_tar
Vulnerabilities (6)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-32610 | — | < 1.4.14 | 1.4.14 | Jul 27, 2021 | In Archive_Tar before 1.4.14, symlinks can refer to targets outside of the extracted archive, a different vulnerability than CVE-2020-36193. | ||
| CVE-2020-36193 | — | KEV | < 1.4.13 | 1.4.13 | Jan 18, 2021 | Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948. | |
| CVE-2020-28948 | — | < 1.4.11 | 1.4.11 | Nov 19, 2020 | Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked. | ||
| CVE-2020-28949 | — | KEV | < 1.4.11 | 1.4.11 | Nov 19, 2020 | Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed. | |
| CVE-2018-1000888 | — | < 1.4.4 | 1.4.4 | Dec 27, 2018 | PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the Archive_Tar class. There are several file operations with `$v_header['filename']` as parameter (such as file_exists, is_file, is_dir, etc). When extract is called without a specific prefix | ||
| CVE-2006-0931 | — | >= 1.2, < 1.3.2 | 1.3.2 | Feb 28, 2006 | Directory traversal vulnerability in PEAR::Archive_Tar 1.2, and other versions before 1.3.2, allows remote attackers to create and overwrite arbitrary files via certain crafted pathnames in a TAR archive. |
- CVE-2021-32610Jul 27, 2021affected < 1.4.14fixed 1.4.14
In Archive_Tar before 1.4.14, symlinks can refer to targets outside of the extracted archive, a different vulnerability than CVE-2020-36193.
- affected < 1.4.13fixed 1.4.13
Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.
- CVE-2020-28948Nov 19, 2020affected < 1.4.11fixed 1.4.11
Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked.
- affected < 1.4.11fixed 1.4.11
Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed.
- CVE-2018-1000888Dec 27, 2018affected < 1.4.4fixed 1.4.4
PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the Archive_Tar class. There are several file operations with `$v_header['filename']` as parameter (such as file_exists, is_file, is_dir, etc). When extract is called without a specific prefix
- CVE-2006-0931Feb 28, 2006affected >= 1.2, < 1.3.2fixed 1.3.2
Directory traversal vulnerability in PEAR::Archive_Tar 1.2, and other versions before 1.3.2, allows remote attackers to create and overwrite arbitrary files via certain crafted pathnames in a TAR archive.