Search CVE reports
1 – 7 of 7 results
Some fixes available 11 of 13
In Archive_Tar before 1.4.14, symlinks can refer to targets outside of the extracted archive, a different vulnerability than CVE-2020-36193.
2 affected packages
drupal7, php-pear
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
---|---|---|---|---|
drupal7 | Not in release | Not in release | Not in release | Not in release |
php-pear | Fixed | Fixed | Fixed | Fixed |
Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.
1 affected package
php-pear
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
---|---|---|---|---|
php-pear | — | — | Fixed | Fixed |
Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed.
2 affected packages
drupal7, php-pear
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
---|---|---|---|---|
drupal7 | Not in release | Not in release | Not in release | Not in release |
php-pear | Fixed | Fixed | Fixed | Fixed |
Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked.
2 affected packages
drupal7, php-pear
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
---|---|---|---|---|
drupal7 | Not in release | Not in release | Not in release | Not in release |
php-pear | Fixed | Fixed | Fixed | Fixed |
PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the Archive_Tar class. There are several file operations with `$v_header[‘filename’]` as parameter (such as file_exists, is_file, is_dir,...
1 affected package
php-pear
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
---|---|---|---|---|
php-pear | — | — | — | Fixed |
PECL in the download utility class in the Installer in PEAR Base System v1.10.1 does not validate file types and filenames after a redirect, which allows remote HTTP servers to overwrite files via crafted responses,...
4 affected packages
php5, php7.0, php7.1, php-pear
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
---|---|---|---|---|
php5 | Not in release | Not in release | Not in release | Not in release |
php7.0 | Not in release | Not in release | Not in release | Not in release |
php7.1 | Not in release | Not in release | Not in release | Not in release |
php-pear | Vulnerable | Vulnerable | Vulnerable | Vulnerable |
The PEAR_REST class in REST.php in PEAR in PHP through 5.6.0 allows local users to write to arbitrary files via a symlink attack on a (1) rest.cachefile or (2) rest.cacheid file in /tmp/pear/cache/, related to...
2 affected packages
php5, php-pear
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
---|---|---|---|---|
php5 | Not in release | Not in release | Not in release | Not in release |
php-pear | Vulnerable | Vulnerable | Vulnerable | Vulnerable |