Published: 19/11/2020 Updated: 07/11/2023

CVSS v2 Base Score: 6.8 | Impact Score: 6.4 | Exploitability Score: 8.6

CVSS v3 Base Score: 7.8 | Impact Score: 5.9 | Exploitability Score: 1.8

VMScore: 606

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Archive_Tar up to and including 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed.

Vulnerable Product	Search on Vulmon	Subscribe to Product
php archive tar
debian debian linux 9.0
debian debian linux 10.0
fedoraproject fedora 32
fedoraproject fedora 33
fedoraproject fedora 34
fedoraproject fedora 35
drupal drupal

Debian Bug report logs - #976108 php-pear: CVE-2020-28948 CVE-2020-28949 Package: src:php-pear; Maintainer for src:php-pear is Debian PHP Maintainers <team+pkg-php@trackerdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Sun, 29 Nov 2020 19:51:02 UTC Severity: grave Tags: security, upstream F ...

Synopsis Moderate: php:74 security update Type/Severity Security Advisory: Moderate Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for the php:74 module is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as ...

Synopsis Moderate: php-pear security update Type/Severity Security Advisory: Moderate Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for php-pear is now available for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a ...

Synopsis Moderate: php:74 security update Type/Severity Security Advisory: Moderate Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for the php:74 module is now available for Red Hat Enterprise Linux 84 Extended Update SupportRed Hat Product Security ...

Two vulnerabilities were discovered in the PEAR Archive_Tar package for handling tar files in PHP, potentially allowing a remote attacker to execute arbitrary code or overwrite files For the stable distribution (buster), these problems have been fixed in version 1:1106+submodules+notgz-11+deb10u1 We recommend that you upgrade your php-pear pac ...

Archive_Tar through 1410 allows an unserialization attack because phar: is blocked but PHAR: is not blocked (CVE-2020-28948) Archive_Tar through 1410 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed (CVE-2020-28949) ...

This Metasploit module takes advantages of Archive_Tar versions prior to 1411 which fail to validate file stream wrappers contained within filenames to write an arbitrary file containing user controlled content to an arbitrary file on disk Note that the file will be written to disk with the permissions of the user that PHP is running as, so it m ...

CVE-2020-28948-and-CVE-2020-28949 pear/Archive_Tar#33 cvemitreorg/cgi-bin/cvenamecgi?name=CVE-2020-28948 for more learn iblackhatcom/us-18/Thu-August-9/us-18-Thomas-Its-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-Itpdf

POC for CVE-2020-28948 & CVE-2020-28949 The files here contain PoC for CVE-2020-28948 & CVE-2020-28949 to achieve remote exploit The server The server folder contains a simple upload server which uses the vulnerable Archive_Tar library, located in server/Archive The server accepts a Tar archive from the user, extracts and store it in the server/uploads/ folder

CVE-2020-28948 POC Link: githubcom/0x240x23elu/CVE-2020-28948-and-CVE-2020-28949

CWE-74 https://github.com/pear/Archive_Tar/issues/33 https://lists.debian.org/debian-lts-announce/2020/11/msg00045.html https://www.drupal.org/sa-core-2020-013 https://www.debian.org/security/2020/dsa-4817 http://packetstormsecurity.com/files/161095/PEAR-Archive_Tar-Arbitrary-File-Write.html https://security.gentoo.org/glsa/202101-23 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4V35LBRM6HBCXBVCITKQ4UEBTXO2EG7B/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NBYZSHYTIOBK6V7C4N7TP6KIKCRKLVWP/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VJQQYDAOWHD6RDITDRPHFW7WY6BS3V5N/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/42GPGVVFTLJYAKRI75IVB5R45NYQGEUR/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=976108 https://nvd.nist.gov https://www.debian.org/security/2020/dsa-4817

CVE-2020-28949

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Exploits

Github Repositories

References

Vulmon Search

About

Products

Connect