VulnerableCode Package Details - pkg:rpm/redhat/php-pear@1:1.9.4-23?arch=el7

Search for packages

Vulnerability	Summary	Fixed by
VCID-gbz5-5frj-hber Aliases: CVE-2020-28949 GHSA-75c5-f4gw-38r9	Multiple vulnerabilities through filename manipulation in Archive_Tar Archive_Tar through 1.4.10 has `://` filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as `file://` to overwrite files) can still succeed. See: https://github.com/pear/Archive_Tar/issues/33	There are no reported fixed by versions.
VCID-kc7d-5k6x-77bp Aliases: CVE-2020-36193 GHSA-rpw6-9xfx-jvcx	Directory Traversal in Archive_Tar Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948. ### :exclamation: Note: There was an [initial fix](https://github.com/pear/Archive_Tar/commit/cde460582ff389404b5b3ccb59374e9b389de916) for this vulnerability made in version `1.4.12`. That fix introduced a bug which was [fixed in 1.4.13](https://github.com/pear/Archive_Tar/pull/36). Therefore we have set the first-patched-version to `1.4.13` which the earliest working version that avoids this vulnerability.	There are no reported fixed by versions.
VCID-v9v6-ae3e-g3hk Aliases: CVE-2020-28948 GHSA-jh5x-hfhg-78jq	Deserialization of Untrusted Data in Archive_Tar Archive_Tar through 1.4.10 allows an unserialization attack because `phar:` is blocked but `PHAR:` is not blocked. See: https://github.com/pear/Archive_Tar/issues/33	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-gbz5-5frj-hber
Aliases:
CVE-2020-28949
GHSA-75c5-f4gw-38r9

Multiple vulnerabilities through filename manipulation in Archive_Tar Archive_Tar through 1.4.10 has `://` filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as `file://` to overwrite files) can still succeed. See: https://github.com/pear/Archive_Tar/issues/33

There are no reported fixed by versions.

VCID-kc7d-5k6x-77bp
Aliases:
CVE-2020-36193
GHSA-rpw6-9xfx-jvcx

Directory Traversal in Archive_Tar Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948. ### :exclamation: Note: There was an [initial fix](https://github.com/pear/Archive_Tar/commit/cde460582ff389404b5b3ccb59374e9b389de916) for this vulnerability made in version `1.4.12`. That fix introduced a bug which was [fixed in 1.4.13](https://github.com/pear/Archive_Tar/pull/36). Therefore we have set the first-patched-version to `1.4.13` which the earliest working version that avoids this vulnerability.

There are no reported fixed by versions.

VCID-v9v6-ae3e-g3hk
Aliases:
CVE-2020-28948
GHSA-jh5x-hfhg-78jq

Deserialization of Untrusted Data in Archive_Tar Archive_Tar through 1.4.10 allows an unserialization attack because `phar:` is blocked but `PHAR:` is not blocked. See: https://github.com/pear/Archive_Tar/issues/33

There are no reported fixed by versions.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T14:03:51.317488+00:00	RedHat Importer	Affected by	VCID-gbz5-5frj-hber	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-28949.json	38.0.0
2026-04-01T14:03:51.268061+00:00	RedHat Importer	Affected by	VCID-v9v6-ae3e-g3hk	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-28948.json	38.0.0
2026-04-01T14:03:21.418327+00:00	RedHat Importer	Affected by	VCID-kc7d-5k6x-77bp	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-36193.json	38.0.0