CVE-2020-28949
CVE-2020-28949
Vexday Risk Score
100Fix now
SSVC decision (CISA)
Act
Exploitation + impact → act immediately
Exploit maturity
Functional exploit
Automatable exploit available (Nuclei/Metasploit).
CVSS 7.8EPSS 84.6%KEV simPoC públicaNuclei —Metasploit simPatch referenciado
Lifecycle
17 Nov 2020Metasploit module available
19 Nov 2020Published on NVD
25 Aug 2022Active exploitation (CISA KEV)
03 Oct 2022Public PoC
Weaponization speed
682 daysto first PoC
643 daysto active exploitation (KEV)
Recommendation: Patch as soon as possible — active exploitation confirmed.
In short
Archive_Tar library fails to properly block dangerous file operations when extracting archives. An attacker can use special filenames to overwrite existing files on the system during extraction.
Technical detail
Archive_Tar versions up to 1.4.10 implement incomplete filename sanitization that only blocks phar:// stream wrappers, leaving other protocols (e.g., file://) exploitable. During archive extraction, a crafted filename with stream wrapper syntax allows arbitrary file write/overwrite via path traversal. Requires user interaction to extract a malicious archive.
Summary generated and translated by AI from the official description.
Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed.
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected products
n/a · n/apublic PoCs found — 2
cve_referencepacketstormsecurity.com/files/161095/PEAR-Archive_Tar-Arbitrary-File-Write.htmlunverifiedvulncheckvulncheck.com/xdb/b36055977e47unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
References
http://packetstormsecurity.com/files/161095/PEAR-Archive_Tar-Arbitrary-File-Write.htmlhttps://github.com/pear/Archive_Tar/issues/33https://lists.debian.org/debian-lts-announce/2020/11/msg00045.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/42GPGVVFTLJYAKRI75IVB5R45NYQGEUR/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4V35LBRM6HBCXBVCITKQ4UEBTXO2EG7B/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NBYZSHYTIOBK6V7C4N7TP6KIKCRKLVWP/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VJQQYDAOWHD6RDITDRPHFW7WY6BS3V5N/https://security.gentoo.org/glsa/202101-23https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-28949https://www.debian.org/security/2020/dsa-4817