IRONSMITHINTEL
HIGHCVSS7.8
|
Actively Exploited
|CISA KEV|CVE-2020-28949|Auth: none — unauthenticated|Reboot: required|Manual only

PEAR Archive_Tar Deserialization of Untrusted Data Vulnerability

PEAR Archive_Tar allows an unserialization attack because phar: is blocked but PHAR: is not blocked. PEAR stands for PHP Extension and Application Repository and it is an open-source framework and distribution system for reusable PHP components with known usage in third-party products such as Drupal Core and Red Hat Linux.

Published Nov 19, 2020 · Updated May 16, 2026
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

A local attacker, without authentication, can achieve full data confidentiality loss, arbitrary modification of data, complete denial of service or system unavailability. Federal agencies are required to remediate by 2022-09-15 under CISA BOD 22-01.

How the attack worksNo clicks needed

This vulnerability affects PEAR Archive_Tar. Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed. Exploitation requires local access, low attack complexity, no authentication required, and user interaction required.

Am I affected?Quick check

Probably yes if any of these apply:

IT Security
Running archive tar: v < 1.4.12; debian linux: 9.0, 10.0; fedora: 32, 33, 34, 35; drupal: 7.0 ≤ v < 7.75, 8.0.0 ≤ v < 8.9.10, 8.8.0 ≤ v < 8.8.12, 9.0.0 ≤ v < 9.0.9
Real-world incidentsWhat we've seen

Active exploitation documented in the wild. Threat-research write-up: http://packetstormsecurity.com/files/161095/PEAR-Archive_Tar-Arbitrary-File-Write.html

How to patch

Manual remediation steps

Apply the Vendor Patch

This vulnerability is in the CISA Known Exploited Vulnerabilities catalog — apply the vendor's security update as soon as possible.

CISA required action: Apply updates per vendor instructions.

References

    1
    Vendor advisory: https://pear.php.net/bugs/bug.php?id=27002, https://www.drupal.org/sa-core-2020-013, https://access.redhat.com/security/cve/cve-2020-28949
    1
    NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2020-28949
    1
    CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-28949
PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

CVE-2020-28949NVDVendor Advisory