CVE-2018-1000888 — HIGH (8.8)

Q: How severe is CVE-2018-1000888?

CVE-2018-1000888 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2018-1000888?

Check the references section above for vendor advisories and patch information. Affected products include: Php Pear Archive Tar, Canonical Ubuntu Linux, Debian Debian Linux.

Vulnerability Description

PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the Archive_Tar class. There are several file operations with `$v_header['filename']` as parameter (such as file_exists, is_file, is_dir, etc). When extract is called without a specific prefix path, we can trigger unserialization by crafting a tar file with `phar://[path_to_malicious_phar_file]` as path. Object injection can be used to trigger destruct in the loaded PHP classes, e.g. the Archive_Tar class itself. With Archive_Tar object injection, arbitrary file deletion can occur because `@unlink($this->_temp_tarname)` is called. If another class with useful gadget is loaded, it may possible to cause remote code execution that can result in files being deleted or possibly modified. This vulnerability appears to have been fixed in 1.4.4.

CVSS Score

8.8

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Php	Pear Archive Tar	<= 1.4.3
Canonical	Ubuntu Linux	16.04
Debian	Debian Linux	8.0

Related Weaknesses (CWE)

CWE-502

References

https://blog.ripstech.com/2018/new-php-exploitation-technique/ExploitThird Party Advisory
https://cdn2.hubspot.net/hubfs/3853213/us-18-Thomas-It%27s-A-PHP-UnserializationExploitTechnical DescriptionThird Party Advisory
https://lists.debian.org/debian-lts-announce/2019/02/msg00020.htmlThird Party Advisory
https://pear.php.net/bugs/bug.php?id=23782Broken LinkThird Party Advisory
https://pear.php.net/package/Archive_Tar/download/Broken LinkThird Party Advisory
https://security.gentoo.org/glsa/202006-14
https://usn.ubuntu.com/3857-1/Third Party Advisory
https://www.debian.org/security/2019/dsa-4378Third Party Advisory
https://www.exploit-db.com/exploits/46108/ExploitThird Party AdvisoryVDB Entry
https://blog.ripstech.com/2018/new-php-exploitation-technique/ExploitThird Party Advisory
https://cdn2.hubspot.net/hubfs/3853213/us-18-Thomas-It%27s-A-PHP-UnserializationExploitTechnical DescriptionThird Party Advisory
https://lists.debian.org/debian-lts-announce/2019/02/msg00020.htmlThird Party Advisory
https://pear.php.net/bugs/bug.php?id=23782Broken LinkThird Party Advisory
https://pear.php.net/package/Archive_Tar/download/Broken LinkThird Party Advisory
https://security.gentoo.org/glsa/202006-14

FAQ

What is CVE-2018-1000888?

CVE-2018-1000888 is a vulnerability with a CVSS score of 8.8 (HIGH). PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the Archive_Tar class. There are several file operations with `$v_header['filename']` as parameter (such as file...

How severe is CVE-2018-1000888?

CVE-2018-1000888 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-1000888?

Check the references section above for vendor advisories and patch information. Affected products include: Php Pear Archive Tar, Canonical Ubuntu Linux, Debian Debian Linux.