Pear Archive Tar
Approved changes feed: RSS · Atom
cpe:2.3:a:php:pear_archive_tar:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | Php (9aec2613-7a27-5ce5-8ac7-140851d8da4c) |
|---|---|
| Product | Pear Archive Tar (e5fb20f1-c386-5548-992f-b2139e42591c) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from purl2cpe mapping |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
pkg:github/pear/archive_tar |
purl2cpe | 2026-06-01 10:17:42.728138 |
pkg:rpm/opensuse/php7-pear-archive_tar |
purl2cpe | 2026-06-01 10:17:42.728141 |
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2018-1000888 |
vulnerable | 2026-06-03 14:37:52.971062 |
Details available
PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the Archive_Tar class. There are several file operations with `$v_header['filename']` as parameter (such as file_exists, is_file, is_dir, etc). When extract is called without a specific prefix path, we can trigger unserialization by crafting a tar file with `phar://[path_to_malicious_phar_file]` as path. Object injection can be used to trigger destruct in the loaded PHP classes, e.g. the Archive_Tar class itself. With Archive_Tar object injection, arbitrary file deletion can occur because `@unlink($this->_temp_tarname)` is called. If another class with useful gadget is loaded, it may possible to cause remote code execution that can result in files being deleted or possibly modified. This vulnerability appears to have been fixed in 1.4.4.
Published: 2018-12-27T18:00:00.000Z
Updated: 2024-08-05T12:47:57.148Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.