CVE-2020-28948
- Source
- https://cve.org/CVERecord?id=CVE-2020-28948
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-28948.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2020-28948
- Aliases
- Downstream
- Related
- Published
- 2020-11-19T19:15:11.877Z
- Modified
- 2026-04-02T05:33:55.113999Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked.
- References
-
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NBYZSHYTIOBK6V7C4N7TP6KIKCRKLVWP/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VJQQYDAOWHD6RDITDRPHFW7WY6BS3V5N/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/42GPGVVFTLJYAKRI75IVB5R45NYQGEUR/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4V35LBRM6HBCXBVCITKQ4UEBTXO2EG7B/
- https://security.gentoo.org/glsa/202101-23
- https://www.debian.org/security/2020/dsa-4817
- https://www.drupal.org/sa-core-2020-013
- https://lists.debian.org/debian-lts-announce/2020/11/msg00045.html
- https://github.com/pear/Archive_Tar/issues/33
Affected packages
Git / github.com/drupal/drupal
Affected ranges
- Type
- GIT
- Repo
- https://github.com/drupal/drupal
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroducedFixedIntroducedFixedIntroducedFixedIntroducedFixed
- Database specific
{ "versions": [ { "introduced": "0" }, { "last_affected": "9.0" }, { "introduced": "0" }, { "last_affected": "10.0" }, { "introduced": "7.0" }, { "fixed": "7.75" }, { "introduced": "8.0.0" }, { "fixed": "8.9.10" }, { "introduced": "8.8.0" }, { "fixed": "8.8.12" }, { "introduced": "9.0.0" }, { "fixed": "9.0.9" } ] }
Affected versions
1.*
1.0
1.3.11
1.3.12
1.3.13
1.3.14
1.3.15
1.3.16
1.4.0
1.4.1
1.4.10
1.4.2
1.4.3
1.4.4
1.4.5
1.4.6
1.4.7
1.4.8
1.4.9
10.*
10.0.0
10.0.0-alpha1
10.0.0-alpha2
10.0.0-alpha3
10.0.0-alpha4
10.0.0-alpha5
10.0.0-alpha6
10.0.0-alpha7
10.0.0-beta1
10.0.0-beta2
10.0.0-rc1
10.0.0-rc2
10.0.0-rc3
10.1.0
10.1.0-alpha1
10.1.0-beta1
10.1.0-rc1
10.1.1
10.1.2
10.1.3
10.1.4
10.1.5
10.1.6
10.1.7
10.1.8
10.2.0
10.2.0-alpha1
10.2.0-beta1
10.2.0-rc1
10.2.1
10.2.10
10.2.11
10.2.12
10.2.2
10.2.3
10.2.4
10.2.5
10.2.6
10.2.7
10.2.8
10.2.9
10.3.0
10.3.0-beta1
10.3.0-rc1
10.3.1
10.3.10
10.3.11
10.3.12
10.3.13
10.3.14
10.3.2
10.3.3
10.3.4
10.3.5
10.3.6
10.3.7
10.3.8
10.3.9
10.4.0
10.4.0-beta1
10.4.0-rc1
10.4.1
10.4.2
10.4.3
10.4.4
10.4.5
10.4.6
10.4.7
10.4.8
10.4.9
10.5.0
10.5.0-beta1
10.5.0-rc1
10.5.1
10.5.2
10.5.3
10.5.4
10.5.5
10.5.6
10.5.7
10.5.8
10.6.0
10.6.0-beta1
10.6.0-rc1
10.6.1
10.6.2
10.6.3
10.6.4
10.6.5
11.*
11.0.0
11.0.0-alpha1
11.0.0-beta1
11.0.0-rc1
11.0.1
11.0.10
11.0.11
11.0.12
11.0.13
11.0.2
11.0.3
11.0.4
11.0.5
11.0.6
11.0.7
11.0.8
11.0.9
11.1.0
11.1.0-beta1
11.1.0-rc1
11.1.1
11.1.2
11.1.3
11.1.4
11.1.5
11.1.6
11.1.7
11.1.8
11.1.9
11.2.0
11.2.0-alpha1
11.2.0-beta1
11.2.0-rc1
11.2.0-rc2
11.2.1
11.2.10
11.2.2
11.2.3
11.2.4
11.2.5
11.2.6
11.2.7
11.2.8
11.2.9
11.3.0
11.3.0-alpha1
11.3.0-beta1
11.3.0-rc1
11.3.0-rc2
11.3.1
11.3.2
11.3.3
11.3.4
11.3.5
2.*
2.0
3.*
3.0.0
3.0.1
3.0.2
4.*
4.0.0
4.1.0
4.2.0
4.3.0
4.3.1
4.3.2
4.4.0
4.4.1
4.4.2
4.4.3
4.5.0
4.5.1
4.5.2
4.5.3
4.5.4
4.5.5
4.5.6
4.5.7
4.5.8
4.6.0
4.6.1
4.6.10
4.6.11
4.6.2
4.6.3
4.6.4
4.6.5
4.6.6
4.6.7
4.6.8
4.6.9
4.7.0
4.7.0-beta-3
4.7.0-beta-4
4.7.0-beta-5
4.7.0-beta-6
4.7.0-rc-1
4.7.0-rc-2
4.7.0-rc-3
4.7.0-rc-4
4.7.1
4.7.10
4.7.11
4.7.2
4.7.3
4.7.4
4.7.5
4.7.6
4.7.7
4.7.8
4.7.9
5.*
5.0
5.0-beta-1
5.0-beta-2
5.0-rc-1
5.0-rc-2
5.1
5.10
5.11
5.12
5.13
5.14
5.15
5.16
5.17
5.18
5.19
5.2
5.20
5.21
5.22
5.23
5.3
5.4
5.5
5.6
5.7
5.8
5.9
6.*
6.0
6.0-beta-1
6.0-beta-2
6.0-beta-3
6.0-beta-4
6.0-rc-1
6.0-rc-2
6.0-rc-3
6.0-rc-4
6.1
6.10
6.11
6.12
6.13
6.14
6.15
6.16
6.17
6.18
6.19
6.2
6.20
6.21
6.22
6.23
6.24
6.25
6.26
6.27
6.28
6.29
6.3
6.30
6.31
6.32
6.33
6.34
6.35
6.36
6.37
6.38
6.4
6.5
6.6
6.7
6.8
6.9
7.*
7.0
7.0-alpha1
7.0-alpha2
7.0-alpha3
7.0-alpha4
7.0-alpha5
7.0-alpha6
7.0-alpha7
7.0-beta-3
7.0-beta1
7.0-beta2
7.0-beta3
7.0-rc-1
7.0-rc-2
7.0-rc-3
7.0-rc-4
7.0-unstable-1
7.0-unstable-10
7.0-unstable-2
7.0-unstable-3
7.0-unstable-4
7.0-unstable-5
7.0-unstable-6
7.0-unstable-7
7.0-unstable-8
7.0-unstable-9
7.1
7.10
7.11
7.12
7.13
7.14
7.15
7.16
7.17
7.18
7.19
7.2
7.20
7.21
7.22
7.23
7.24
7.25
7.26
7.27
7.28
7.29
7.3
7.30
7.31
7.32
7.33
7.34
7.35
7.36
7.37
7.38
7.39
7.4
7.40
7.41
7.42
7.43
7.44
7.5
7.50
7.51
7.52
7.53
7.54
7.55
7.56
7.57
7.58
7.59
7.6
7.60
7.61
7.62
7.63
7.64
7.65
7.66
7.67
7.68
7.69
7.7
7.70
7.71
7.72
7.73
7.74
7.8
7.9
8.*
8.0-alpha10
8.0-alpha11
8.0-alpha12
8.0-alpha13
8.0-alpha2
8.0-alpha3
8.0-alpha4
8.0-alpha5
8.0-alpha6
8.0-alpha7
8.0-alpha8
8.0-alpha9
8.0.0
8.0.0-alpha14
8.0.0-alpha15
8.0.0-beta1
8.0.0-beta10
8.0.0-beta11
8.0.0-beta12
8.0.0-beta13
8.0.0-beta14
8.0.0-beta15
8.0.0-beta16
8.0.0-beta2
8.0.0-beta3
8.0.0-beta4
8.0.0-beta5
8.0.0-beta6
8.0.0-beta7
8.0.0-beta9
8.0.0-rc1
8.0.0-rc2
8.0.0-rc3
8.0.0-rc4
8.0.1
8.0.2
8.0.3
8.0.4
8.0.5
8.0.6
8.1.0
8.1.0-beta1
8.1.0-beta2
8.1.0-rc1
8.1.1
8.1.10
8.1.2
8.1.3
8.1.4
8.1.5
8.1.6
8.1.7
8.1.8
8.1.9
8.2.0
8.2.0-beta1
8.2.0-beta2
8.2.0-beta3
8.2.0-rc1
8.2.0-rc2
8.2.1
8.2.2
8.2.3
8.2.4
8.2.5
8.2.6
8.2.7
8.2.8
8.3.0
8.3.0-alpha1
8.3.0-beta1
8.3.0-rc1
8.3.0-rc2
8.3.1
8.3.2
8.3.3
8.3.4
8.3.5
8.3.6
8.3.7
8.3.8
8.3.9
8.4.0
8.4.0-alpha1
8.4.0-beta1
8.4.0-rc1
8.4.0-rc2
8.4.1
8.4.2
8.4.3
8.4.4
8.4.5
8.4.6
8.4.7
8.4.8
8.5.0
8.5.0-alpha1
8.5.0-beta1
8.5.0-rc1
8.5.1
8.5.10
8.5.11
8.5.12
8.5.13
8.5.14
8.5.15
8.5.2
8.5.3
8.5.4
8.5.5
8.5.6
8.5.7
8.5.8
8.5.9
8.6.0
8.6.0-alpha1
8.6.0-beta1
8.6.0-beta2
8.6.0-rc1
8.6.1
8.6.10
8.6.11
8.6.12
8.6.13
8.6.14
8.6.15
8.6.16
8.6.17
8.6.18
8.6.2
8.6.3
8.6.4
8.6.5
8.6.6
8.6.7
8.6.8
8.6.9
8.7.0
8.7.0-alpha1
8.7.0-alpha2
8.7.0-beta1
8.7.0-beta2
8.7.0-rc1
8.7.1
8.7.10
8.7.11
8.7.12
8.7.13
8.7.14
8.7.2
8.7.3
8.7.4
8.7.5
8.7.6
8.7.7
8.7.8
8.7.9
8.8.0
8.8.0-alpha1
8.8.0-beta1
8.8.0-rc1
8.8.1
8.8.10
8.8.11
8.8.2
8.8.3
8.8.4
8.8.5
8.8.6
8.8.7
8.8.8
8.8.9
8.9.0
8.9.0-beta1
8.9.0-beta2
8.9.0-beta3
8.9.0-rc1
8.9.1
8.9.2
8.9.3
8.9.4
8.9.5
8.9.6
8.9.7
8.9.8
8.9.9
9.*
9.0.0
9.0.0-alpha1
9.0.0-alpha2
9.0.0-beta1
9.0.0-beta2
9.0.0-beta3
9.0.0-rc1
9.1.0
9.1.0-alpha1
9.1.0-beta1
9.1.0-rc1
9.1.0-rc2
9.1.0-rc3
9.1.1
9.1.10
9.1.11
9.1.12
9.1.13
9.1.14
9.1.15
9.1.2
9.1.3
9.1.4
9.1.5
9.1.6
9.1.7
9.1.8
9.1.9
9.2.0
9.2.0-alpha1
9.2.0-beta1
9.2.0-beta2
9.2.0-beta3
9.2.0-rc1
9.2.1
9.2.10
9.2.11
9.2.12
9.2.13
9.2.14
9.2.15
9.2.16
9.2.17
9.2.18
9.2.19
9.2.2
9.2.20
9.2.21
9.2.3
9.2.4
9.2.5
9.2.6
9.2.7
9.2.8
9.2.9
9.3.0
9.3.0-alpha1
9.3.0-beta1
9.3.0-beta2
9.3.0-beta3
9.3.0-rc1
9.3.1
9.3.10
9.3.11
9.3.12
9.3.13
9.3.14
9.3.15
9.3.16
9.3.17
9.3.18
9.3.19
9.3.2
9.3.20
9.3.21
9.3.22
9.3.3
9.3.4
9.3.5
9.3.6
9.3.7
9.3.8
9.3.9
9.4.0
9.4.0-alpha1
9.4.0-beta1
9.4.0-rc1
9.4.0-rc2
9.4.1
9.4.10
9.4.11
9.4.12
9.4.13
9.4.14
9.4.15
9.4.2
9.4.3
9.4.4
9.4.5
9.4.6
9.4.7
9.4.8
9.4.9
9.5.0
9.5.0-beta1
9.5.0-beta2
9.5.0-rc1
9.5.0-rc2
9.5.1
9.5.10
9.5.11
9.5.2
9.5.3
9.5.4
9.5.5
9.5.6
9.5.7
9.5.8
9.5.9
Other
start
Database specific
unresolved_ranges
[
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "32"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "33"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "34"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "35"
}
]
}
]
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-28948.json"