CVE-2020-36193
Published: 18 January 2021
Summary
CVE-2020-36193 is a high-severity Path Traversal (CWE-22) vulnerability in Fedoraproject Fedora. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 1.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Tar.php in the Archive_Tar PHP library through version 1.4.11 contains a directory traversal flaw that permits write operations because symbolic links are not adequately validated before extraction. The issue is tracked under CWE-22 and CWE-59 and is described as related to CVE-2020-28948. It received a CVSS 3.1 base score of 7.5, reflecting network attack vector, low complexity, and high integrity impact without requiring authentication.
An unauthenticated remote attacker can supply a crafted tar archive containing symbolic links that, when processed by Archive_Tar, result in files being written to arbitrary locations on the target filesystem. Successful exploitation allows modification of files outside the intended extraction directory, potentially leading to configuration changes, code injection, or other integrity violations.
Upstream remediation is available in the form of a commit to the pear/Archive_Tar repository that strengthens symlink handling. Distribution-specific advisories from Debian LTS and Fedora recommend updating to a patched version of the package to address the vulnerability.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-0874
Vulnerability details
Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.
- CWE(s)
- KEV Date Added
- 25 August 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of untrusted input (tar paths and symlinks) to block the directory traversal writes described in the CVE.
Mandates prompt application of the upstream Archive_Tar patch that strengthens symlink handling and eliminates the flaw.
Limits the privileges of the process performing extraction so that even a successful traversal yields minimal filesystem modification.