CVE-2020-28948

Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked.

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Name	Vendor	Start Version	End Version
Archive_tar	Php	*	1.4.11 (excluding)
Red Hat Enterprise Linux 7	RedHat	php-pear-1:1.9.4-23.el7_9	*
Red Hat Enterprise Linux 8	RedHat	php:7.4-8060020220907094815.5caa48ff	*
Red Hat Enterprise Linux 8.4 Extended Update Support	RedHat	php:7.4-8040020220907095003.d7c09045	*
Drupal7	Ubuntu	esm-apps/xenial	*
Drupal7	Ubuntu	esm-infra-legacy/trusty	*
Drupal7	Ubuntu	trusty	*
Drupal7	Ubuntu	trusty/esm	*
Drupal7	Ubuntu	upstream	*
Drupal7	Ubuntu	xenial	*
Php-pear	Ubuntu	bionic	*
Php-pear	Ubuntu	devel	*
Php-pear	Ubuntu	esm-infra/bionic	*
Php-pear	Ubuntu	esm-infra/focal	*
Php-pear	Ubuntu	esm-infra/xenial	*
Php-pear	Ubuntu	focal	*
Php-pear	Ubuntu	groovy	*
Php-pear	Ubuntu	hirsute	*
Php-pear	Ubuntu	impish	*
Php-pear	Ubuntu	jammy	*
Php-pear	Ubuntu	kinetic	*
Php-pear	Ubuntu	lunar	*
Php-pear	Ubuntu	mantic	*
Php-pear	Ubuntu	noble	*
Php-pear	Ubuntu	oracular	*
Php-pear	Ubuntu	trusty	*
Php-pear	Ubuntu	xenial	*

Make fields transient to protect them from deserialization.
An attempt to serialize and then deserialize a class containing transient fields will result in NULLs where the transient data should be. This is an excellent way to prevent time, environment-based, or sensitive variables from being carried over and used improperly.

NVD	https://nvd.nist.gov/vuln/detail/CVE-2020-28948
CWE	https://cwe.mitre.org/data/definitions/502.html

Deserialization of Untrusted Data