SUBJECT: CVE-2020-36193 PEAR Archive_Tar Improper Link Resolution Vulnerability
TECH STACK: Archive_Tar library prior to 1.4.4.
DATE(S) ISSUED: 01/18/2021
CRITICALITY: HIGH
OVERVIEW:
CVE-2020-36193 is a vulnerability in the PEAR Archive_Tar library that allows an attacker to perform a directory traversal attack. This vulnerability exists in versions of the Archive_Tar library prior to 1.4.4.
In a directory traversal attack, an attacker can exploit a vulnerability in a web application to access files or directories that are outside of the intended directory structure. This can allow an attacker to access sensitive files or execute malicious code on the server.
NIST Description: PEAR Archive_Tar Tar.php allows write operations with directory traversal due to inadequate checking of symbolic links.
https://nvd.nist.gov/vuln/detail/CVE-2020-36193
THREAT INTELLIGENCE:
CISA has added CVE-2020-36193 to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerability. This vulnerability is a frequent attack vector for malicious cyber actors of all types and poses significant risk to the federal enterprise.
https://www.cisa.gov/known-exploited-vulnerabilities-catalog
NIST: NVD
Base Score: 7.5 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
SOLUTION:
To patch the vulnerability in the PEAR Archive_Tar library that allows an attacker to perform a directory traversal attack (CVE-2020-36193), you can update to a fixed version of the library. You can find the latest version of the library on the PEAR website (https://pear.php.net/package/Archive_Tar).
Here is an example of how to update the library using the PEAR package manager:
First, make sure that you have the PEAR package manager installed. You can check if it is installed by running the following command:
$ pear version
If the PEAR package manager is not installed, you can install it by following the instructions on the PEAR website
(https://pear.php.net/manual/en/installation.getting.php).
Once you have the PEAR package manager installed, update the Archive_Tar library by running the following command:
$ pear upgrade Archive_Tar
This will download and install the latest version of the Archive_Tar library, which should include a fix for the directory traversal vulnerability.
It is also a good idea to check the release notes for the latest version of the library to see if there are any additional security fixes or improvements that have been made.
REFERENCES:
https://github.com/pear/Archive_Tar/commit/cde460582ff389404b5b3ccb59374e9b389de916
https://www.drupal.org/sa-core-2021-001
https://access.redhat.com/security/cve/cve-2020-36193
CONFIRM:https://www.drupal.org/sa-core-2021-001
DEBIAN:DSA-4894
URL:https://www.debian.org/security/2021/dsa-4894
FEDORA:FEDORA-2021-02996612f6
URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YKD5WEFA4WT6AVTMRAYBNXZNLWZHM7FH/
FEDORA:FEDORA-2021-0c013f520c
URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/42GPGVVFTLJYAKRI75IVB5R45NYQGEUR/
FEDORA:FEDORA-2021-8093e197f4
URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VJQQYDAOWHD6RDITDRPHFW7WY6BS3V5N/
FEDORA:FEDORA-2021-dc7de65eed
URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FOZNK4FIIV7FSFCJNNFWMJZTTV7NFJV2/
GENTOO:GLSA-202101-23
URL:https://security.gentoo.org/glsa/202101-23
MISC:https://github.com/pear/Archive_Tar/commit/cde460582ff389404b5b3ccb59374e9b389de916
MLIST:[debian-lts-announce] 20210121 [SECURITY] [DLA-2530-1] drupal7 security update
URL:https://lists.debian.org/debian-lts-announce/2021/01/msg00018.html
MLIST:[debian-lts-announce] 20210408 [SECURITY] [DLA 2621-1] php-pear security update
URL:https://lists.debian.org/debian-lts-announce/2021/04/msg00007.html
