CVE-2020-36193

high-risk

Published 2021-01-18

Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.

Do I need to act?

71.1% chance of exploitation in next 30 days

EPSS score — higher than 29% of all CVEs

CISA KEV: actively exploited in the wild

On the Known Exploited Vulnerabilities catalog — federal agencies must patch

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (8)

Archive Tar

Fedora

Debian Linux

Drupal

Affected Vendors

Debian Php Drupal Fedoraproject

References (21)

Patch https://github.com/pear/Archive_Tar/commit/cde460582ff389404b5b3ccb59374e9b389de...

Mailing List https://lists.debian.org/debian-lts-announce/2021/01/msg00018.html

Mailing List https://lists.debian.org/debian-lts-announce/2021/04/msg00007.html

Broken Link https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...

Third Party Advisory https://security.gentoo.org/glsa/202101-23

Third Party Advisory https://www.debian.org/security/2021/dsa-4894

Third Party Advisory https://www.drupal.org/sa-core-2021-001

Patch https://github.com/pear/Archive_Tar/commit/cde460582ff389404b5b3ccb59374e9b389de...

Mailing List https://lists.debian.org/debian-lts-announce/2021/01/msg00018.html

Mailing List https://lists.debian.org/debian-lts-announce/2021/04/msg00007.html

Broken Link https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...

Third Party Advisory https://security.gentoo.org/glsa/202101-23

Third Party Advisory https://www.debian.org/security/2021/dsa-4894

Third Party Advisory https://www.drupal.org/sa-core-2021-001

and 1 more references

/ 100

high-risk

Severity 26/34 · High

Exploitability 26/34 · High

Exposure 14/34 · Moderate