SUBJECT: CVE-2020-36193 PEAR Archive_Tar Improper Link Resolution Vulnerability
TECH STACK: Archive_Tar library prior to 1.4.4.
DATE(S) ISSUED: 01/18/2021
CVE-2020-36193 is a vulnerability in the PEAR Archive_Tar library that allows an attacker to perform a directory traversal attack. This vulnerability exists in versions of the Archive_Tar library prior to 1.4.4.
In a directory traversal attack, an attacker can exploit a vulnerability in a web application to access files or directories that are outside of the intended directory structure. This can allow an attacker to access sensitive files or execute malicious code on the server.
NIST Description: PEAR Archive_Tar Tar.php allows write operations with directory traversal due to inadequate checking of symbolic links.
CISA has added CVE-2020-36193 to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerability. This vulnerability is a frequent attack vector for malicious cyber actors of all types and poses significant risk to the federal enterprise.
Base Score: 7.5 HIGH
To patch the vulnerability in the PEAR Archive_Tar library that allows an attacker to perform a directory traversal attack (CVE-2020-36193), you can update to a fixed version of the library. You can find the latest version of the library on the PEAR website (https://pear.php.net/package/Archive_Tar).
Here is an example of how to update the library using the PEAR package manager:
First, make sure that you have the PEAR package manager installed. You can check if it is installed by running the following command:
$ pear version
If the PEAR package manager is not installed, you can install it by following the instructions on the PEAR website
Once you have the PEAR package manager installed, update the Archive_Tar library by running the following command:
$ pear upgrade Archive_Tar
This will download and install the latest version of the Archive_Tar library, which should include a fix for the directory traversal vulnerability.
It is also a good idea to check the release notes for the latest version of the library to see if there are any additional security fixes or improvements that have been made.
MLIST:[debian-lts-announce] 20210121 [SECURITY] [DLA-2530-1] drupal7 security update
MLIST:[debian-lts-announce] 20210408 [SECURITY] [DLA 2621-1] php-pear security update