GHSA-rpw6-9xfx-jvcx

Source

https://github.com/advisories/GHSA-rpw6-9xfx-jvcx

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-rpw6-9xfx-jvcx/GHSA-rpw6-9xfx-jvcx.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-rpw6-9xfx-jvcx

Aliases

Published

2021-04-22T16:20:36Z

Modified

2024-02-22T05:31:57.298375Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

Directory Traversal in Archive_Tar

Details

Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.

:exclamation: Note:

There was an initial fix for this vulnerability made in version 1.4.12. That fix introduced a bug which was fixed in 1.4.13. Therefore we have set the first-patched-version to 1.4.13 which the earliest working version that avoids this vulnerability.

Database specific

{
    "nvd_published_at": "2021-01-18T20:15:00Z",
    "cwe_ids": [
        "CWE-22"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2021-03-22T23:56:54Z"
}

References

Affected packages

Packagist / pear/archive_tar

Package

Name: pear/archive_tar
Purl: pkg:composer/pear/archive_tar

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.4.13

Affected versions

1.*

1.3.11

1.3.12

1.3.13

1.3.14

1.3.15

1.3.16

1.4.0

1.4.1

1.4.2

1.4.3

1.4.4

1.4.5

1.4.6

1.4.7

1.4.8

1.4.9

1.4.10

1.4.11

1.4.12

Database specific

{
    "last_known_affected_version_range": "<= 1.4.11"
}