Search for packages
| purl | pkg:composer/pear/archive_tar@1.4.6 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-gbz5-5frj-hber
Aliases: CVE-2020-28949 GHSA-75c5-f4gw-38r9 |
Multiple vulnerabilities through filename manipulation in Archive_Tar Archive_Tar through 1.4.10 has `://` filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as `file://` to overwrite files) can still succeed. See: https://github.com/pear/Archive_Tar/issues/33 |
Affected by 2 other vulnerabilities. |
|
VCID-kc7d-5k6x-77bp
Aliases: CVE-2020-36193 GHSA-rpw6-9xfx-jvcx |
Directory Traversal in Archive_Tar Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948. ### :exclamation: Note: There was an [initial fix](https://github.com/pear/Archive_Tar/commit/cde460582ff389404b5b3ccb59374e9b389de916) for this vulnerability made in version `1.4.12`. That fix introduced a bug which was [fixed in 1.4.13](https://github.com/pear/Archive_Tar/pull/36). Therefore we have set the first-patched-version to `1.4.13` which the earliest working version that avoids this vulnerability. |
Affected by 1 other vulnerability. |
|
VCID-tk1v-t2e5-jqae
Aliases: CVE-2021-32610 GHSA-p8q8-jfcv-g2h2 |
Improper Link Resolution Before File Access In Archive_Tar, symlinks can refer to targets outside of the extracted archive. |
Affected by 0 other vulnerabilities. |
|
VCID-v9v6-ae3e-g3hk
Aliases: CVE-2020-28948 GHSA-jh5x-hfhg-78jq |
Deserialization of Untrusted Data in Archive_Tar Archive_Tar through 1.4.10 allows an unserialization attack because `phar:` is blocked but `PHAR:` is not blocked. See: https://github.com/pear/Archive_Tar/issues/33 |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||