CVE-2020-28949

Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed.

References

Affected packages

Git / github.com/drupal/drupal

Affected ranges

Type: GIT
Repo: https://github.com/drupal/drupal
Events: Introduced

497914920385b7016ac9c9367e0198530787adf2

Fixed

98b9dd73fb606159242c98a57aa9068d8fa3328d

Affected versions

7.*

7.0

7.1

7.10

7.11

7.12

7.13

7.14

7.15

7.16

7.17

7.18

7.19

7.2

7.20

7.21

7.22

7.23

7.24

7.25

7.26

7.27

7.28

7.29

7.3

7.30

7.31

7.32

7.33

7.34

7.35

7.36

7.37

7.38

7.39

7.4

7.40

7.41

7.42

7.43

7.44

7.5

7.50

7.51

7.52

7.53

7.54

7.55

7.56

7.57

7.58

7.59

7.6

7.60

7.61

7.62

7.63

7.64

7.65

7.66

7.67

7.68

7.69

7.7

7.70

7.71

7.72

7.73

7.74

7.8

7.9

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-28949.json"

Git / github.com/pear/archive_tar

Affected ranges

Type: GIT
Repo: https://github.com/pear/archive_tar
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

19bb8e95490d3e3ad92fcac95500ca80bdcc7495

Affected versions

1.*

1.3.11

1.3.12

1.3.13

1.3.14

1.3.15

1.3.16

1.4.0

1.4.1

1.4.10

1.4.11

1.4.2

1.4.3

1.4.4

1.4.5

1.4.6

1.4.7

1.4.8

1.4.9

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-28949.json"