logo

Database

Insecure deserialization In php-pear

Description

Deserialization of Untrusted Data in Archive_Tar Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked. See: https://github.com/pear/Archive_Tar/issues/33

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

1-10 of 13

10

Aliases

1. CVE-2020-289482. NVD-2020-289483. OSV-DEBIAN-2020-289484. OSV-2020-289485. GCVE-2020-289486. SECURITY-TRACKER-CVE-2020-289487. lists.debian.org8. security.gentoo.org

References

1. https://github.com/0x240x23elu/CVE-2020-28948-and-CVE-2020-289492. https://github.com/pear/Archive_Tar/issues/333. https://github.com/pear/Archive_Tar/commit/0670a05fdab997036a3fc3ef113b8f5922e574da4. https://lists.fedoraproject.org/archives/list/[email protected]/message/42GPGVVFTLJYAKRI75IVB5R45NYQGEUR5. https://lists.fedoraproject.org/archives/list/[email protected]/message/4V35LBRM6HBCXBVCITKQ4UEBTXO2EG7B6. https://lists.fedoraproject.org/archives/list/[email protected]/message/5KSFM672XW3X6BR7TVKRD63SLZGKK4377. https://lists.fedoraproject.org/archives/list/[email protected]/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT8. https://lists.fedoraproject.org/archives/list/[email protected]/message/NBYZSHYTIOBK6V7C4N7TP6KIKCRKLVWP9. https://lists.fedoraproject.org/archives/list/[email protected]/message/VJQQYDAOWHD6RDITDRPHFW7WY6BS3V5N10. https://www.debian.org/security/2020/dsa-481711. https://www.drupal.org/sa-core-2020-013

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.