{ "affected": [ { "database_specific": { "unresolved_ranges": [ { "events": [ { "introduced": "0" }, { "last_affected": "32" } ] }, { "events": [ { "introduced": "0" }, { "last_affected": "33" } ] }, { "events": [ { "introduced": "0" }, { "last_affected": "34" } ] }, { "events": [ { "introduced": "0" }, { "last_affected": "35" } ] } ] }, "ranges": [ { "database_specific": { "versions": [ { "introduced": "0" }, { "last_affected": "9.0" }, { "introduced": "0" }, { "last_affected": "10.0" }, { "introduced": "7.0" }, { "fixed": "7.75" }, { "introduced": "8.0.0" }, { "fixed": "8.9.10" }, { "introduced": "8.8.0" }, { "fixed": "8.8.12" }, { "introduced": "9.0.0" }, { "fixed": "9.0.9" } ] }, "events": [ { "introduced": "0" }, { "last_affected": "d62812dc17ce593beb2ccd4cdbee1a76c95e3fd7" }, { "introduced": "0" }, { "last_affected": "2700c5afb6c3936041db413872eea82dc0bd4fe4" }, { "introduced": "497914920385b7016ac9c9367e0198530787adf2" }, { "fixed": "98b9dd73fb606159242c98a57aa9068d8fa3328d" }, { "introduced": "35c2f3ca5c935f3d8bde15932a712677c9bbd50f" }, { "fixed": "f7a296a30a0bce9062fd655388fefe30d832e003" }, { "introduced": "f2b59e3ae8097ea01d15c708f1267b73794399c0" }, { "fixed": "58153924a828197866f99804f3e5b9ee9a4cc600" }, { "introduced": "d62812dc17ce593beb2ccd4cdbee1a76c95e3fd7" }, { "fixed": "14803c18e98871592f360f9406cd7ece99aaa9bf" } ], "repo": "https://github.com/drupal/drupal", "type": "GIT" }, { "database_specific": { "versions": [ { "introduced": "0" }, { "fixed": "1.4.12" } ] }, "events": [ { "introduced": "0" }, { "fixed": "19bb8e95490d3e3ad92fcac95500ca80bdcc7495" } ], "repo": "https://github.com/pear/archive_tar", "type": "GIT" } ] } ], "details": "Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed.", "id": "CVE-2020-28949", "modified": "2026-04-01T23:09:03.093521082Z", "published": "2020-11-19T19:15:11.937Z", "references": [ { "type": "WEB", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-28949" }, { "type": "ADVISORY", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/42GPGVVFTLJYAKRI75IVB5R45NYQGEUR/" }, { "type": "ADVISORY", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437/" }, { "type": "ADVISORY", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT/" }, { "type": "ADVISORY", "url": "https://security.gentoo.org/glsa/202101-23" }, { "type": "ADVISORY", "url": "https://www.drupal.org/sa-core-2020-013" }, { "type": "ADVISORY", "url": "https://lists.debian.org/debian-lts-announce/2020/11/msg00045.html" }, { "type": "ADVISORY", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4V35LBRM6HBCXBVCITKQ4UEBTXO2EG7B/" }, { "type": "ADVISORY", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NBYZSHYTIOBK6V7C4N7TP6KIKCRKLVWP/" }, { "type": "ADVISORY", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VJQQYDAOWHD6RDITDRPHFW7WY6BS3V5N/" }, { "type": "ADVISORY", "url": "https://www.debian.org/security/2020/dsa-4817" }, { "type": "REPORT", "url": "https://github.com/pear/Archive_Tar/issues/33" }, { "type": "EVIDENCE", "url": "http://packetstormsecurity.com/files/161095/PEAR-Archive_Tar-Arbitrary-File-Write.html" } ], "severity": [ { "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "type": "CVSS_V3" } ] }