CVE-2018-1000888

Name of the Vulnerable Software and Affected Versions PEAR Archive Tar versions 1.4.3 and earlier

Description The issue is related to the Archive Tar class, where several file operations use the $v header['filename'] parameter. This can be exploited by crafting a tar file with a malicious path, potentially leading to object injection and arbitrary file deletion. In some cases, it may also be possible to achieve remote code execution, resulting in file modification or deletion. The vulnerability is related to the restoration of untrusted data in memory.

Recommendations For PEAR Archive Tar versions 1.4.3 and earlier, update to version 1.4.4 to resolve the issue. As a temporary workaround, consider restricting the use of the Archive Tar class until a patch is available. Avoid using the $v header['filename'] parameter in file operations to minimize the risk of exploitation.