NVD Vulnerability Detail

CVE-2020-36193

Summary	Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.
Publication Date	Jan. 19, 2021, 5:15 a.m.
Registration Date	Jan. 26, 2021, 10:40 a.m.
Last Update	Nov. 21, 2024, 2:28 p.m.

CVSS3.1 : HIGH
スコア	7.5
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	低
攻撃に必要な特権レベル(PR)	不要
利用者の関与(UI)	不要
影響の想定範囲(S)	変更なし
機密性への影響(C)	なし
完全性への影響(I)	高
可用性への影響(A)	なし

CVSS2.0 : MEDIUM
Score	5.0
Vector	AV:N/AC:L/Au:N/C:N/I:P/A:N
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	低
攻撃前の認証要否(Au)	不要
機密性への影響(C)	なし
完全性への影響(I)	低
可用性への影響(A)	なし
Get all privileges.	いいえ
Get user privileges	いいえ
Get other privileges	いいえ
User operation required	いいえ

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:php:archive_tar::::::::			1.4.11

Configuration2	or higher	or less	more than	less than
cpe:2.3:o:fedoraproject:fedora:32:::::::*
cpe:2.3:o:fedoraproject:fedora:33:::::::*
cpe:2.3:o:fedoraproject:fedora:34:::::::*
cpe:2.3:o:fedoraproject:fedora:35:::::::*

Configuration3	or higher	or less	more than	less than
cpe:2.3:o:debian:debian_linux:9.0:::::::*
cpe:2.3:o:debian:debian_linux:10.0:::::::*

Configuration4	or higher	or less	more than	less than
cpe:2.3:a:drupal:drupal::::::::	9.1.0			9.1.3
cpe:2.3:a:drupal:drupal::::::::	9.0.0			9.0.11
cpe:2.3:a:drupal:drupal::::::::	7.0			7.78
cpe:2.3:a:drupal:drupal::::::::	8.9.0			8.9.13

Related information, measures and tools

No	URL	タグ
1	https://github.com/pear/Archive_Tar/commit/cde460582ff389404b5b3ccb59374e9b389de916	Patch
2	https://github.com/pear/Archive_Tar/commit/cde460582ff389404b5b3ccb59374e9b389de916	Patch
3	https://lists.debian.org/debian-lts-announce/2021/01/msg00018.html	Mailing List Third Party Advisory
4	https://lists.debian.org/debian-lts-announce/2021/01/msg00018.html	Mailing List Third Party Advisory
5	https://lists.debian.org/debian-lts-announce/2021/04/msg00007.html	Mailing List Third Party Advisory
6	https://lists.debian.org/debian-lts-announce/2021/04/msg00007.html	Mailing List Third Party Advisory
7	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/42GPGVVFTLJYAKRI75IVB5R45NYQGEUR/	Broken Link
8	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/42GPGVVFTLJYAKRI75IVB5R45NYQGEUR/	Broken Link
9	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FOZNK4FIIV7FSFCJNNFWMJZTTV7NFJV2/	Broken Link
10	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FOZNK4FIIV7FSFCJNNFWMJZTTV7NFJV2/	Broken Link
11	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VJQQYDAOWHD6RDITDRPHFW7WY6BS3V5N/	Broken Link
12	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VJQQYDAOWHD6RDITDRPHFW7WY6BS3V5N/	Broken Link
13	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YKD5WEFA4WT6AVTMRAYBNXZNLWZHM7FH/	Broken Link
14	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YKD5WEFA4WT6AVTMRAYBNXZNLWZHM7FH/	Broken Link
15	https://security.gentoo.org/glsa/202101-23	Third Party Advisory
16	https://security.gentoo.org/glsa/202101-23	Third Party Advisory
17	https://www.debian.org/security/2021/dsa-4894	Third Party Advisory
18	https://www.debian.org/security/2021/dsa-4894	Third Party Advisory
19	https://www.drupal.org/sa-core-2021-001	Third Party Advisory
20	https://www.drupal.org/sa-core-2021-001	Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-22	パス・トラバーサル	https://cwe.mitre.org/data/definitions/22.html
2	CWE-59	リンク解釈の問題	https://cwe.mitre.org/data/definitions/59.html

JVN Vulnerability Information

Archive_Tar におけるリンク解釈に関する脆弱性

Title	Archive_Tar におけるリンク解釈に関する脆弱性
Summary	Archive_Tar には、リンク解釈に関する脆弱性、およびパストラバーサルの脆弱性が存在します。本脆弱性は、CVE-2020-28948 と関連する脆弱性です。
Possible impacts	情報を改ざんされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Dec. 14, 2020, midnight
Registration Date	Sept. 29, 2021, 5:27 p.m.
Last Update	Sept. 29, 2021, 5:27 p.m.

Affected System

The PHP Group

Archive Tar 1.4.11 まで

Drupal

Debian

Debian GNU/Linux

Fedora Project

Fedora

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2020-36193	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36193
National Vulnerability Database (NVD)
2	CVE-2020-36193	https://nvd.nist.gov/vuln/detail/CVE-2020-36193

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-22	https://jvndb.jvn.jp/ja/cwe/CWE-22.html
2	CWE-59	https://jvndb.jvn.jp/ja/cwe/CWE-59.html

ベンダー情報

No	Name	URL
Debian
1	[SECURITY] [DLA 2621-1] php-pear security update	https://lists.debian.org/debian-lts-announce/2021/04/msg00007.html
2	[SECURITY] [DLA-2530-1] drupal7 security update	https://lists.debian.org/debian-lts-announce/2021/01/msg00018.html
Debian Security Advisory
3	DSA-4894-1	https://www.debian.org/security/2021/dsa-4894
Fedora Update Notification
4	FEDORA-2021-02996612f6	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YKD5WEFA4WT6AVTMRAYBNXZNLWZHM7FH/
5	FEDORA-2021-0c013f520c	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/42GPGVVFTLJYAKRI75IVB5R45NYQGEUR/
6	FEDORA-2021-8093e197f4	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VJQQYDAOWHD6RDITDRPHFW7WY6BS3V5N/
7	FEDORA-2021-dc7de65eed	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FOZNK4FIIV7FSFCJNNFWMJZTTV7NFJV2/
GitHub
8	Disallow symlinks to out-of-path filenames	https://github.com/pear/Archive_Tar/commit/cde460582ff389404b5b3ccb59374e9b389de916
Security advisories
9	SA-CORE-2021-001	https://www.drupal.org/sa-core-2021-001

Change Log

No	Changed Details	Date of change
1	[2021年09月29日] 掲載	Sept. 29, 2021, 5:27 p.m.