CVE-2020-7063 Information
Share on:Description
In PHP versions 7.2.x below 7.2.28 7.3.x below 7.3.15 and 7.4.x below 7.4.3 when creating PHAR archive using PharData::buildFromIterator() function the files are added with default permissions (0666 or all access) even if the original files on the filesystem were with more restrictive permissions. This may result in files having more lax permissions than intended when such archive is extracted.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Reference
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00023.html https://bugs.php.net/bug.php?id=79082 https://lists.debian.org/debian-lts-announce/2020/03/msg00034.html https://security.gentoo.org/glsa/202003-57 https://usn.ubuntu.com/4330-1/ https://www.debian.org/security/2020/dsa-4717 https://www.debian.org/security/2020/dsa-4719
Attack Complexity
LOW
Privileges Required
NONE
User Interaction Required
NONE
Scope
NONE
Confidentiality Impact
UNCHANGED
Integrity Impact
NONE
Availability Impact
LOW
Base Score
NONE
Base Severity
5.3