Security

Mitigation Instructions for CVE-2020-36193

Written by CyRisk Vulnerability Management Team | Mar 22, 2023 3:40:10 PM

SUBJECT: CVE-2020-36193 PEAR Archive_Tar Improper Link Resolution Vulnerability

TECH STACK: Archive_Tar library prior to 1.4.4.

DATE(S) ISSUED: 01/18/2021

CRITICALITY: HIGH

OVERVIEW:

CVE-2020-36193 is a vulnerability in the PEAR Archive_Tar library that allows an attacker to perform a directory traversal attack. This vulnerability exists in versions of the Archive_Tar library prior to 1.4.4.

In a directory traversal attack, an attacker can exploit a vulnerability in a web application to access files or directories that are outside of the intended directory structure. This can allow an attacker to access sensitive files or execute malicious code on the server.

NIST Description: PEAR Archive_Tar Tar.php allows write operations with directory traversal due to inadequate checking of symbolic links. 

https://nvd.nist.gov/vuln/detail/CVE-2020-36193

THREAT INTELLIGENCE:

CISA has added CVE-2020-36193 to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerability. This vulnerability is a frequent attack vector for malicious cyber actors of all types and poses significant risk to the federal enterprise. 

https://www.cisa.gov/known-exploited-vulnerabilities-catalog

NIST: NVD

Base Score: 7.5 HIGH

Vector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

SOLUTION:

To patch the vulnerability in the PEAR Archive_Tar library that allows an attacker to perform a directory traversal attack (CVE-2020-36193), you can update to a fixed version of the library. You can find the latest version of the library on the PEAR website (https://pear.php.net/package/Archive_Tar).

Here is an example of how to update the library using the PEAR package manager:

First, make sure that you have the PEAR package manager installed. You can check if it is installed by running the following command:

$ pear version

If the PEAR package manager is not installed, you can install it by following the instructions on the PEAR website

 (https://pear.php.net/manual/en/installation.getting.php).

Once you have the PEAR package manager installed, update the Archive_Tar library by running the following command:

$ pear upgrade Archive_Tar

This will download and install the latest version of the Archive_Tar library, which should include a fix for the directory traversal vulnerability.

It is also a good idea to check the release notes for the latest version of the library to see if there are any additional security fixes or improvements that have been made.

REFERENCES:

https://github.com/pear/Archive_Tar/commit/cde460582ff389404b5b3ccb59374e9b389de916

https://www.drupal.org/sa-core-2021-001

https://access.redhat.com/security/cve/cve-2020-36193

CONFIRM:https://www.drupal.org/sa-core-2021-001

DEBIAN:DSA-4894

URL:https://www.debian.org/security/2021/dsa-4894

FEDORA:FEDORA-2021-02996612f6

URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YKD5WEFA4WT6AVTMRAYBNXZNLWZHM7FH/

FEDORA:FEDORA-2021-0c013f520c

URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/42GPGVVFTLJYAKRI75IVB5R45NYQGEUR/

FEDORA:FEDORA-2021-8093e197f4

URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VJQQYDAOWHD6RDITDRPHFW7WY6BS3V5N/

FEDORA:FEDORA-2021-dc7de65eed

URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FOZNK4FIIV7FSFCJNNFWMJZTTV7NFJV2/

GENTOO:GLSA-202101-23

URL:https://security.gentoo.org/glsa/202101-23

MISC:https://github.com/pear/Archive_Tar/commit/cde460582ff389404b5b3ccb59374e9b389de916

MLIST:[debian-lts-announce] 20210121 [SECURITY] [DLA-2530-1] drupal7 security update

URL:https://lists.debian.org/debian-lts-announce/2021/01/msg00018.html

MLIST:[debian-lts-announce] 20210408 [SECURITY] [DLA 2621-1] php-pear security update

URL:https://lists.debian.org/debian-lts-announce/2021/04/msg00007.html