Archive Tar PHP Archive Tar

Do you want an email whenever new security vulnerabilities are reported in PHP Archive Tar?

By the Year

In 2021 there have been 2 vulnerabilities in PHP Archive Tar with an average score of 7.3 out of ten. Last year Archive Tar had 2 security vulnerabilities published. At the current rates, it appears that the number of vulnerabilities last year and this year may equal out. Last year, the average CVE base score was greater by 0.50

Year Vulnerabilities Average Score
2021 2 7.30
2020 2 7.80
2019 0 0.00
2018 0 0.00

It may take a day or so for new Archive Tar vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent PHP Archive Tar Security Vulnerabilities

In Archive_Tar before 1.4.14, symlinks

CVE-2021-32610 7.1 - High - July 30, 2021

In Archive_Tar before 1.4.14, symlinks can refer to targets outside of the extracted archive, a different vulnerability than CVE-2020-36193.

insecure temporary file

Tar.php in Archive_Tar through 1.4.11

CVE-2020-36193 7.5 - High - January 18, 2021

Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.

Directory traversal

Archive_Tar through 1.4.10

CVE-2020-28948 7.8 - High - November 19, 2020

Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked.

Marshaling, Unmarshaling

Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files)

CVE-2020-28949 7.8 - High - November 19, 2020

Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed.

Injection

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Fedora Project Fedora or by PHP? Click the Watch button to subscribe.

PHP
Vendor

subscribe