CVE-2018-1000888: Archive_Tar contains Potential RCE if filename starts with phar://
8.8
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.96312%
CWE
-
Published
7/7/2023
Updated
7/7/2023
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
pear/archive_tar | composer | < 1.4.4 | 1.4.4 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from two key points: 1) The _maliciousFilename method lacked a check for 'phar://' prefixes (added in the patch), allowing attackers to bypass path validation. 2) The _extractFile method (and related extraction logic) used $v_header['filename'] in PHP filesystem functions (file_exists/is_dir/etc.) without proper sanitization. When combined, these allow phar:// wrappers to trigger deserialization via Phar metadata. The exploit examples and patch focus on these components, confirming their critical role in the vulnerability.