Search CVE reports


Toggle filters

1 – 7 of 7 results


CVE-2021-32610

Medium priority

Some fixes available 11 of 13

In Archive_Tar before 1.4.14, symlinks can refer to targets outside of the extracted archive, a different vulnerability than CVE-2020-36193.

2 affected packages

drupal7, php-pear

Package 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS 16.04 LTS
drupal7 Not in release Not in release Not in release Not in release Vulnerable
php-pear Fixed Fixed Fixed Fixed Fixed
Show less packages

CVE-2020-36193

Medium priority
Fixed

Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.

1 affected package

php-pear

Package 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS 16.04 LTS
php-pear Fixed Fixed Fixed
Show less packages

CVE-2020-28949

High priority
Fixed

Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed.

2 affected packages

drupal7, php-pear

Package 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS 16.04 LTS
drupal7 Not in release Not in release Not in release Not in release Fixed
php-pear Fixed Fixed Fixed Fixed Fixed
Show less packages

CVE-2020-28948

Medium priority
Fixed

Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked.

2 affected packages

drupal7, php-pear

Package 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS 16.04 LTS
drupal7 Not in release Not in release Not in release Not in release Fixed
php-pear Fixed Fixed Fixed Fixed Fixed
Show less packages

CVE-2018-1000888

Medium priority
Fixed

PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the Archive_Tar class. There are several file operations with `$v_header['filename']` as parameter (such as file_exists, is_file, is_dir,...

1 affected package

php-pear

Package 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS 16.04 LTS
php-pear Fixed Fixed
Show less packages

CVE-2017-5630

Negligible priority
Vulnerable

PECL in the download utility class in the Installer in PEAR Base System v1.10.1 does not validate file types and filenames after a redirect, which allows remote HTTP servers to overwrite files via crafted responses,...

4 affected packages

php-pear, php5, php7.0, php7.1

Package 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS 16.04 LTS
php-pear Vulnerable Vulnerable Vulnerable Vulnerable Vulnerable
php5 Not in release Not in release Not in release Not in release Not in release
php7.0 Not in release Not in release Not in release Not in release Not affected
php7.1 Not in release Not in release Not in release Not in release Not in release
Show less packages

CVE-2014-5459

Negligible priority
Vulnerable

The PEAR_REST class in REST.php in PEAR in PHP through 5.6.0 allows local users to write to arbitrary files via a symlink attack on a (1) rest.cachefile or (2) rest.cacheid file in /tmp/pear/cache/, related to...

2 affected packages

php-pear, php5

Package 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS 16.04 LTS
php-pear Vulnerable Vulnerable Vulnerable Vulnerable Vulnerable
php5 Not in release Not in release Not in release Not in release Not in release
Show less packages