CVE-2020-7063

Description

In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below 7.4.3, when creating PHAR archive using PharData::buildFromIterator() function, the files are added with default permissions (0666, or all access) even if the original files on the filesystem were with more restrictive permissions. This may result in files having more lax permissions than intended when such archive is extracted.

How to fix CVE-2020-7063

To remediate CVE-2020-7063, upgrade the affected package to a fixed version below.

• —upgrade to 7.2.28 or later
• —upgrade to 7.2.28 or later
• —upgrade to 7.2.28 or later
• —upgrade to 7.4.3-1 or later

Is CVE-2020-7063 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

• >= 7.2.0, < 7.2.28, >= 7.3.0, < 7.3.15, >= 7.4.0, < 7.4.3
• >= 7.2.0, < 7.2.28, >= 7.3.0, < 7.3.15, >= 7.4.0, < 7.4.3
• >= 7.2.0, < 7.2.28, >= 7.3.0, < 7.3.15, >= 7.4.0, < 7.4.3
• from 0, < 7.4.3-1

CVSS scores

References (10)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2020-7063
• WEBlists.opensuse.org/opensuse-security-announce/2020-03/msg00023.html
• WEBbugs.php.net/bug.php?id=79082
• WEBlists.debian.org/debian-lts-announce/2020/03/msg00034.html