CVE-2020-7068

Description

In PHP versions 7.2.x below 7.2.33, 7.3.x below 7.3.21 and 7.4.x below 7.4.9, while processing PHAR files using phar extension, phar_parse_zipfile could be tricked into accessing freed memory, which could lead to a crash or information disclosure.

How to fix CVE-2020-7068

To remediate CVE-2020-7068, upgrade the affected package to a fixed version below.

• Bitnami/libphp—upgrade to 7.2.33 or later
• —upgrade to 7.2.33 or later
• —upgrade to 7.2.33 or later
• —upgrade to 7.0.33-0+deb9u9 or later
• —upgrade to 7.3.27-1~deb10u1 or later
• —upgrade to 7.4.9-1 or later

Is CVE-2020-7068 being exploited?

Low — EPSS is 0.8%, meaning exploitation activity has not been observed at scale.

Affected packages (6)

• >= 7.2.0, < 7.2.33, >= 7.3.0, < 7.3.21, >= 7.4.0, < 7.4.9
• >= 7.2.0, < 7.2.33, >= 7.3.0, < 7.3.21, >= 7.4.0, < 7.4.9
• >= 7.2.0, < 7.2.33, >= 7.3.0, < 7.3.21, >= 7.4.0, < 7.4.9
• from 0, < 7.0.33-0+deb9u9
• from 0, < 7.3.27-1~deb10u1
• from 0, < 7.4.9-1

CVSS scores

References (7)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2020-7068
• WEBbugs.php.net/bug.php?id=79797
• WEBnvd.nist.gov/vuln/detail/CVE-2020-7068
• WEBsecurity.gentoo.org/glsa/202009-10
• WEBsecurity.netapp.com