CVE-2021-32610
HIGH7.1EPSS 3.0%drupal7 - security update
Published: 7/21/2021Modified: 4/28/2026
Description
In Archive_Tar before 1.4.14, symlinks can refer to targets outside of the extracted archive, a different vulnerability than CVE-2020-36193.
Affected packages (4)
- Debian/drupal7from 0, < 7.52-2+deb9u16
- Debian/php-pearfrom 0
- Packagist/drupal/core>= 8.0.0, < 8.9.17 | >= 9.1.0, < 9.1.11 | >= 9.2.0, < 9.2.2
- Packagist/pear/archive_tarfrom 0, < 1.4.14
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.1 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
References (12)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-32610
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2021-32610
- PATCHhttps://github.com/pear/Archive_Tar
- WEBhttps://github.com/pear/Archive_Tar/commit/7789ebb2f34f9e4adb3a4152ad0d1548930a9755
- WEBhttps://github.com/pear/Archive_Tar/commit/b5832439b1f37331fb4f87e67fe4f
- WEBhttps://github.com/pear/Archive_Tar/releases/tag/1.4.14
- WEBhttps://lists.debian.org/debian-lts-announce/2021/07/msg00023.html
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/42GPGVVFTLJYAKRI75IVB5R45NYQGEUR
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/CAODVMHGL5MHQWQAQTXQ7G7OE3VQZ7LS
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/G5LTY6COQYNMMHQJ3QIOJHEWCKD4XDFH
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/VJQQYDAOWHD6RDITDRPHFW7WY6BS3V5N
- WEBhttps://www.drupal.org/sa-core-2021-004