CVE-2020-28949 — PEAR Archive_Tar Deserialization of Untrusted Data Vulnerability

2022-08-25 • CISA Known Exploited Vulnerability

[event] PEAR Archive_Tar allows an unserialization attack because phar: is blocked but PHAR: is not blocked. PEAR stands for PHP Extension and Application Repository and it is an open-source framework and distribution system for reusable PHP components with known usage in third-party products such as Drupal Core and Red Hat Linux.

> AFFECTED SOFTWARE

Field	Value
Vendor	PEAR
Product	Archive_Tar
CWE	CWE-74
CVE ID	CVE-2020-28949
Date Added	2022-08-25
Due Date	2022-09-15
Ransomware Campaign	Unknown

> MITIGATION

Apply updates per vendor instructions.

Due Date: 2022-09-15

> REFERENCES

[1] https://pear.php.net/bugs/bug.php?id=27002,
[2] https://www.drupal.org/sa-core-2020-013,
[3] https://access.redhat.com/security/cve/cve-2020-28949
[4] https://nvd.nist.gov/vuln/detail/CVE-2020-28949