CVE-2020-36193: 
PHP vulnerability analysis and mitigation

CVE-2020-36193 affects ArchiveTar through version 1.4.11, a PHP library for handling tar files. The vulnerability was discovered in January 2021 and involves a directory traversal issue due to inadequate checking of symbolic links, related to CVE-2020-28948. This vulnerability affects multiple systems and applications that use the ArchiveTar library, including Drupal, PEAR, and various Linux distributions (NVD, Debian LTS).

The vulnerability exists in the Tar.php file of Archive_Tar and allows write operations with Directory Traversal due to inadequate checking of symbolic links. The issue has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N, indicating it can be exploited remotely with no privileges required (NVD).

The vulnerability allows attackers to perform write operations outside the intended directory structure through symbolic link manipulation. This could lead to privilege escalation by overwriting files outside the extraction directory through a crafted .tar archive (Debian LTS).

The vulnerability has been fixed in Archive_Tar version 1.4.12. Various distributions have released patches and updates to address this issue: Debian has released updates for both stable and LTS versions, Gentoo has released GLSA 202101-23, and Drupal has released SA-CORE-2021-001 (Gentoo Security, Debian Security).