Fluid Attacks Database

Description

Multiple vulnerabilities through filename manipulation in Archive_Tar Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed. See: https://github.com/pear/Archive_Tar/issues/33

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
packagist	drupal/core-recommended	>=7.0 <7.75 \|\| >=8.0.0 <8.9.10 \|\| >=9.0.0 <9.0.9	8.9.10, 9.0.9
packagist	drupal/core	>=7.0 <7.75 \|\| >=8.8.0 <8.8.12 \|\| >=8.9.0 <8.9.10 \|\| >=9.0.0 <9.0.9	7.75, 8.8.12, 8.9.10, 9.0.9
packagist	drupal/drupal	>=7.0 <7.75 \|\| >=8.8.0 <8.8.12 \|\| >=8.9.0 <8.9.10 \|\| >=9.0.0 <9.0.9	7.75, 8.8.12, 8.9.10, 9.0.9
debian 11	php-pear	>=0 <1:1.10.9+submodules+notgz-1.1	1:1.10.9+submodules+notgz-1.1
packagist	pear/archive_tar	>=0 <1.4.11	1.4.11
debian 14	php-pear	>=0 <1:1.10.9+submodules+notgz-1.1	1:1.10.9+submodules+notgz-1.1
debian 12	php-pear	>=0 <1:1.10.9+submodules+notgz-1.1	1:1.10.9+submodules+notgz-1.1
debian 13	php-pear	>=0 <1:1.10.9+submodules+notgz-1.1	1:1.10.9+submodules+notgz-1.1
rpm rhel8.4	php	<0:7.4.6-5.module+el8.4.0+15727+276bb227	0:7.4.6-5.module+el8.4.0+15727+276bb227
rpm rhel8	php	<0:7.4.19-4.module+el8.6.0+16316+906f6c6d	0:7.4.19-4.module+el8.6.0+16316+906f6c6d

1-10 of 13

Aliases

1. CVE-2020-289492. NVD-2020-289493. OSV-2020-289494. OSV-DEBIAN-2020-289495. GCVE-2020-289496. SECURITY-TRACKER-CVE-2020-289497. security.gentoo.org8. lists.debian.org

References

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.