CVE-2021-32610

moderate-risk

Published 2021-07-30

In Archive_Tar before 1.4.14, symlinks can refer to targets outside of the extracted archive, a different vulnerability than CVE-2020-36193.

Do I need to act?

3.0% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.1/10 High

LOCAL / LOW complexity

Archive Tar

Debian Linux

Fedora

Debian Php Fedoraproject

Patch https://github.com/pear/Archive_Tar/commit/7789ebb2f34f9e4adb3a4152ad0d1548930a9...

Patch https://github.com/pear/Archive_Tar/commit/b5832439b1f37331fb4f87e67fe4f

Release Notes https://github.com/pear/Archive_Tar/releases/tag/1.4.14

Mailing List https://lists.debian.org/debian-lts-announce/2021/07/msg00023.html

Third Party Advisory https://www.drupal.org/sa-core-2021-004

Patch https://github.com/pear/Archive_Tar/commit/7789ebb2f34f9e4adb3a4152ad0d1548930a9...

Patch https://github.com/pear/Archive_Tar/commit/b5832439b1f37331fb4f87e67fe4f

Release Notes https://github.com/pear/Archive_Tar/releases/tag/1.4.14

Mailing List https://lists.debian.org/debian-lts-announce/2021/07/msg00023.html

Third Party Advisory https://www.drupal.org/sa-core-2021-004

/ 100

moderate-risk

Severity 22/34 · High

Exploitability 6/34 · Minimal

Exposure 12/34 · Low