Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2020-36193

Published: 18 January 2021

Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.

Priority

Medium

Cvss 3 Severity Score

7.5

Score breakdown

Status

Package Release Status
php-pear
Launchpad, Ubuntu, Debian
trusty Does not exist

upstream Needs triage

xenial
Released (1:1.10.1+submodules+notgz-6ubuntu0.3)
bionic
Released (1:1.10.5+submodules+notgz-1ubuntu1.18.04.3)
focal
Released (1:1.10.9+submodules+notgz-1ubuntu0.20.04.2)
groovy
Released (1:1.10.9+submodules+notgz-1ubuntu0.20.10.2)
Patches:
upstream: https://github.com/pear/Archive_Tar/commit/cde460582ff389404b5b3ccb59374e9b389de916
upstream: https://github.com/pear/Archive_Tar/commit/b6da5c32254162fa0752616479fb3d3c5297c1cf
upstream: https://github.com/pear/Archive_Tar/commit/7d8782d95f74b5889bfaaad43e74086f1918ec2b

Severity score breakdown

Parameter Value
Base score 7.5
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Scope Unchanged
Confidentiality None
Integrity impact High
Availability impact None
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N