CVE-2020-28948

high-risk

Published 2020-11-19

Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked.

Do I need to act?

76.2% chance of exploitation in next 30 days

EPSS score — higher than 24% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.8/10 High

LOCAL / LOW complexity

Archive Tar

Debian Linux

Fedora

Drupal

Debian Php Drupal Fedoraproject

Exploit https://github.com/pear/Archive_Tar/issues/33

Mailing List https://lists.debian.org/debian-lts-announce/2020/11/msg00045.html

Third Party Advisory https://security.gentoo.org/glsa/202101-23

Third Party Advisory https://www.debian.org/security/2020/dsa-4817

Third Party Advisory https://www.drupal.org/sa-core-2020-013

Exploit https://github.com/pear/Archive_Tar/issues/33

Mailing List https://lists.debian.org/debian-lts-announce/2020/11/msg00045.html

Third Party Advisory https://security.gentoo.org/glsa/202101-23

and 2 more references

/ 100

high-risk

Severity 24/34 · High

Exploitability 20/34 · Moderate

Exposure 14/34 · Moderate