Main Vulnerability Database Vulnerabilities #VU49907

UNIX symbolic link following in Archive_Tar - CVE-2020-36193

Published: January 18, 2021 / Updated: October 27, 2022

Vulnerability identifier: #VU49907

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber

CVE-ID: CVE-2020-36193

CWE-ID: CWE-61

Exploitation vector: Remote access

Exploit availability: The vulnerability is being exploited in the wild

Vendor: PHP Group

Affected software:
Archive_Tar

Detailed vulnerability description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to a symlink following issue in tar.php file in Archive_Tar. A remote attacker can pass specially crafted archive to the application and force the application to overwrite arbitrary files on the system using directory traversal sequences.

Successful exploitation of the vulnerability may allow an attacker to compromise the affected system.

How to mitigate CVE-2020-36193

Install updates from vendor's website.

Sources

https://github.com/pear/Archive_Tar/commit/cde460582ff389404b5b3ccb59374e9b389de916

UNIX symbolic link following in Archive_Tar - CVE-2020-36193

Detailed vulnerability description

How to mitigate CVE-2020-36193

Sources

Please verify you're human