Search CVE reports
1 – 7 of 7 results
CVE-2021-32610
Medium prioritySome fixes available 11 of 13
In Archive_Tar before 1.4.14, symlinks can refer to targets outside of the extracted archive, a different vulnerability than CVE-2020-36193.
2 affected packages
drupal7, php-pear
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
drupal7 | Not in release | Not in release | Not in release | Not in release | Vulnerable |
php-pear | Fixed | Fixed | Fixed | Fixed | Fixed |
CVE-2020-36193
Medium priorityTar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.
1 affected package
php-pear
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
php-pear | — | — | Fixed | Fixed | Fixed |
CVE-2020-28949
High priorityArchive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed.
2 affected packages
drupal7, php-pear
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
drupal7 | Not in release | Not in release | Not in release | Not in release | Fixed |
php-pear | Fixed | Fixed | Fixed | Fixed | Fixed |
CVE-2020-28948
Medium priorityArchive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked.
2 affected packages
drupal7, php-pear
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
drupal7 | Not in release | Not in release | Not in release | Not in release | Fixed |
php-pear | Fixed | Fixed | Fixed | Fixed | Fixed |
CVE-2018-1000888
Medium priorityPEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the Archive_Tar class. There are several file operations with `$v_header['filename']` as parameter (such as file_exists, is_file, is_dir,...
1 affected package
php-pear
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
php-pear | — | — | — | Fixed | Fixed |
CVE-2017-5630
Negligible priorityPECL in the download utility class in the Installer in PEAR Base System v1.10.1 does not validate file types and filenames after a redirect, which allows remote HTTP servers to overwrite files via crafted responses,...
4 affected packages
php-pear, php5, php7.0, php7.1
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
php-pear | Vulnerable | Vulnerable | Vulnerable | Vulnerable | Vulnerable |
php5 | Not in release | Not in release | Not in release | Not in release | Not in release |
php7.0 | Not in release | Not in release | Not in release | Not in release | Not affected |
php7.1 | Not in release | Not in release | Not in release | Not in release | Not in release |
CVE-2014-5459
Negligible priorityThe PEAR_REST class in REST.php in PEAR in PHP through 5.6.0 allows local users to write to arbitrary files via a symlink attack on a (1) rest.cachefile or (2) rest.cacheid file in /tmp/pear/cache/, related to...
2 affected packages
php-pear, php5
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
php-pear | Vulnerable | Vulnerable | Vulnerable | Vulnerable | Vulnerable |
php5 | Not in release | Not in release | Not in release | Not in release | Not in release |