VulnerableCode Package Details - pkg:deb/debian/php-pear@1:1.10.1%2Bsubmodules%2Bnotgz-9%2Bdeb9u1

Search for packages

Package details: pkg:deb/debian/php-pear@1:1.10.1%2Bsubmodules%2Bnotgz-9%2Bdeb9u1

Essentials
History (7)

purl	pkg:deb/debian/php-pear@1:1.10.1%2Bsubmodules%2Bnotgz-9%2Bdeb9u1

Next non-vulnerable version	1:1.10.13+submodules+notgz+2022032202-2
Latest non-vulnerable version	1:1.10.13+submodules+notgz+2022032202-2
Risk	10.0

Vulnerabilities affecting this package (4)

Vulnerability	Summary	Fixed by
VCID-1skm-sxkd-fqay Aliases: CVE-2020-36193 GHSA-rpw6-9xfx-jvcx	Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.	1:1.10.6+submodules+notgz-1.1+deb10u2 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 1:1.10.12+submodules+notgz+20210212-1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-29b3-euu3-tbdk Aliases: CVE-2020-28948 GHSA-jh5x-hfhg-78jq	Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked.	1:1.10.6+submodules+notgz-1.1+deb10u2 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 1:1.10.12+submodules+notgz+20210212-1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-q1zc-wkc7-wyew Aliases: CVE-2018-1000888 GHSA-3q76-jq6m-573p	PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the Archive_Tar class. There are several file operations with `$v_header['filename']` as parameter (such as file_exists, is_file, is_dir, etc). When extract is called without a specific prefix path, we can trigger unserialization by crafting a tar file with `phar://[path_to_malicious_phar_file]` as path. Object injection can be used to trigger destruct in the loaded PHP classes, e.g. the Archive_Tar class itself. With Archive_Tar object injection, arbitrary file deletion can occur because `@unlink($this->_temp_tarname)` is called. If another class with useful gadget is loaded, it may possible to cause remote code execution that can result in files being deleted or possibly modified. This vulnerability appears to have been fixed in 1.4.4.	1:1.10.6+submodules+notgz-1.1+deb10u2 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-zm7q-katz-bue7 Aliases: CVE-2020-28949 GHSA-75c5-f4gw-38r9	Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed.	1:1.10.6+submodules+notgz-1.1+deb10u2 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 1:1.10.12+submodules+notgz+20210212-1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerabilities fixed by this package (0)

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-08-01T20:02:09.899748+00:00	Debian Oval Importer	Affected by	VCID-zm7q-katz-bue7	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T19:32:48.429163+00:00	Debian Oval Importer	Affected by	VCID-29b3-euu3-tbdk	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T19:04:08.211885+00:00	Debian Oval Importer	Affected by	VCID-q1zc-wkc7-wyew	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T11:49:09.528663+00:00	Debian Oval Importer	Affected by	VCID-1skm-sxkd-fqay	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T11:31:48.728043+00:00	Debian Oval Importer	Affected by	VCID-29b3-euu3-tbdk	https://www.debian.org/security/oval/oval-definitions-buster.xml.bz2	37.0.0
2025-08-01T11:16:49.046673+00:00	Debian Oval Importer	Affected by	VCID-1skm-sxkd-fqay	https://www.debian.org/security/oval/oval-definitions-buster.xml.bz2	37.0.0
2025-08-01T11:13:36.350364+00:00	Debian Oval Importer	Affected by	VCID-zm7q-katz-bue7	https://www.debian.org/security/oval/oval-definitions-buster.xml.bz2	37.0.0