Main Vulnerability Database Vulnerabilities #VU49907

#VU49907 UNIX symbolic link following in Archive_Tar - CVE-2020-36193

Published: January 18, 2021 / Updated: October 27, 2022

Vulnerability identifier: #VU49907

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber

CVE-ID: CVE-2020-36193

CWE-ID: CWE-61

Exploitation vector: Remote access

Exploit availability: The vulnerability is being exploited in the wild

Vulnerable software:
Archive_Tar

Software vendor:
PHP Group

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to a symlink following issue in tar.php file in Archive_Tar. A remote attacker can pass specially crafted archive to the application and force the application to overwrite arbitrary files on the system using directory traversal sequences.

Successful exploitation of the vulnerability may allow an attacker to compromise the affected system.

Remediation

Install updates from vendor's website.

External links

https://github.com/pear/Archive_Tar/commit/cde460582ff389404b5b3ccb59374e9b389de916

#VU49907 UNIX symbolic link following in Archive_Tar - CVE-2020-36193

Description

Remediation

External links

Please verify you're human