Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.
There was an initial fix for this vulnerability made in version 1.4.12
. That fix introduced a bug which was fixed in 1.4.13. Therefore we have set the first-patched-version to 1.4.13
which the earliest working version that avoids this vulnerability.
{ "nvd_published_at": "2021-01-18T20:15:00Z", "cwe_ids": [ "CWE-22" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2021-03-22T23:56:54Z" }