Cyber Resilience

CVE-2020-36193

HighCISA KEVActive ExploitationEUVD Exploited

Published: 18 January 2021

Published
18 January 2021
Modified
07 November 2025
KEV Added
25 August 2022
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.7115 98.7th percentile
Risk Priority 78 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-36193 is a high-severity Path Traversal (CWE-22) vulnerability in Fedoraproject Fedora. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 1.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Tar.php in the Archive_Tar PHP library through version 1.4.11 contains a directory traversal flaw that permits write operations because symbolic links are not adequately validated before extraction. The issue is tracked under CWE-22 and CWE-59 and is described as related to CVE-2020-28948. It received a CVSS 3.1 base score of 7.5, reflecting network attack vector, low complexity, and high integrity impact without requiring authentication.

An unauthenticated remote attacker can supply a crafted tar archive containing symbolic links that, when processed by Archive_Tar, result in files being written to arbitrary locations on the target filesystem. Successful exploitation allows modification of files outside the intended extraction directory, potentially leading to configuration changes, code injection, or other integrity violations.

Upstream remediation is available in the form of a commit to the pear/Archive_Tar repository that strengthens symlink handling. Distribution-specific advisories from Debian LTS and Fedora recommend updating to a patched version of the package to address the vulnerability.

EU & UK References

Vulnerability details

Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.

CWE(s)
KEV Date Added
25 August 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

php
archive tar
≤ 1.4.11
fedoraproject
fedora
32, 33, 34, 35
debian
debian linux
10.0, 9.0
drupal
drupal
7.0 — 7.78 · 8.9.0 — 8.9.13 · 9.0.0 — 9.0.11

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of untrusted input (tar paths and symlinks) to block the directory traversal writes described in the CVE.

prevent

Mandates prompt application of the upstream Archive_Tar patch that strengthens symlink handling and eliminates the flaw.

prevent

Limits the privileges of the process performing extraction so that even a successful traversal yields minimal filesystem modification.

References