CVE-2021-32610: 
PHP vulnerability analysis and mitigation

CVE-2021-32610 affects ArchiveTar versions before 1.4.14, where symlinks can refer to targets outside of the extracted archive. This vulnerability was discovered in July 2021 and is distinct from CVE-2020-36193. The issue impacts various systems and applications that use the ArchiveTar library, including PHP PEAR and Drupal installations (NVD, Debian LTS).

The vulnerability has been assigned a CVSS v3.1 base score of 7.1 (High), with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N. The issue stems from improper handling of symbolic links in archives, where the library fails to properly validate symbolic link targets, potentially allowing references to files outside the intended extraction directory (NVD).

When exploited, this vulnerability could allow an attacker to use specially crafted tar archives to write or overwrite files outside the intended extraction directory through symbolic link manipulation. This could potentially lead to unauthorized file access and system compromise (Debian LTS).

The vulnerability has been fixed in ArchiveTar version 1.4.14. Various distributions and applications have released patches and updates to address this issue. Users are advised to upgrade to the fixed version. For Debian 9 stretch, the fix is available in drupal7 version 7.52-2+deb9u16. Fedora has also released updates for affected packages ([GitHub Release](https://github.com/pear/ArchiveTar/releases/tag/1.4.14), Fedora Update).