CVE-2020-28949

7.8 HIGH CISA KEV - Actively Exploited

Published: November 19, 2020 Modified: November 07, 2025

Description

Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

CVSS v3.x Details

0.0 Low Medium High Critical 10.0

Vector String

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory

http://packetstormsecurity.com/files/161095/PEAR-Archive_Tar-Arbitrary-File-Write.html

Source: cve@mitre.org

Exploit Third Party Advisory VDB Entry

https://github.com/pear/Archive_Tar/issues/33

Source: cve@mitre.org

Exploit Issue Tracking Vendor Advisory

https://lists.debian.org/debian-lts-announce/2020/11/msg00045.html

Source: cve@mitre.org

Mailing List Third Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/42GPGVVFTLJYAKRI75IVB5R45NYQGEUR/

Source: cve@mitre.org

Mailing List Third Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4V35LBRM6HBCXBVCITKQ4UEBTXO2EG7B/

Source: cve@mitre.org

Mailing List Third Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437/

Source: cve@mitre.org

Mailing List Third Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT/

Source: cve@mitre.org

Mailing List Third Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NBYZSHYTIOBK6V7C4N7TP6KIKCRKLVWP/

Source: cve@mitre.org

Mailing List Third Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VJQQYDAOWHD6RDITDRPHFW7WY6BS3V5N/

Source: cve@mitre.org

Mailing List Third Party Advisory

https://security.gentoo.org/glsa/202101-23

Source: cve@mitre.org

Third Party Advisory

https://www.debian.org/security/2020/dsa-4817

Source: cve@mitre.org

Mailing List Third Party Advisory

https://www.drupal.org/sa-core-2020-013

Source: cve@mitre.org

Third Party Advisory

http://packetstormsecurity.com/files/161095/PEAR-Archive_Tar-Arbitrary-File-Write.html

Source: af854a3a-2127-422b-91ae-364da2661108

Exploit Third Party Advisory VDB Entry

https://github.com/pear/Archive_Tar/issues/33

Source: af854a3a-2127-422b-91ae-364da2661108

Exploit Issue Tracking Vendor Advisory

https://lists.debian.org/debian-lts-announce/2020/11/msg00045.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing List Third Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/42GPGVVFTLJYAKRI75IVB5R45NYQGEUR/

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing List Third Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4V35LBRM6HBCXBVCITKQ4UEBTXO2EG7B/

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing List Third Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437/

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing List Third Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT/

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing List Third Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NBYZSHYTIOBK6V7C4N7TP6KIKCRKLVWP/

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing List Third Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VJQQYDAOWHD6RDITDRPHFW7WY6BS3V5N/

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing List Third Party Advisory

https://security.gentoo.org/glsa/202101-23

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.debian.org/security/2020/dsa-4817

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing List Third Party Advisory

https://www.drupal.org/sa-core-2020-013

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-28949

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

US Government Resource

25 reference(s) from NVD

Quick Stats

CVSS v3 Score

7.8 / 10.0

EPSS (Exploit Probability)

93.0%

100th percentile

Exploitation Status

Actively Exploited

Remediation due: 2022-09-15

Affected Vendors

debian php drupal fedoraproject