CVE-2020-7063 — MEDIUM (5.5)

Q: How severe is CVE-2020-7063?

CVE-2020-7063 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2020-7063?

Check the references section above for vendor advisories and patch information. Affected products include: Php Php, Tenable Tenable.Sc, Debian Debian Linux, Opensuse Leap.

Vulnerability Description

In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below 7.4.3, when creating PHAR archive using PharData::buildFromIterator() function, the files are added with default permissions (0666, or all access) even if the original files on the filesystem were with more restrictive permissions. This may result in files having more lax permissions than intended when such archive is extracted.

CVSS Score

5.5

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Php	Php	>= 7.2.0, <= 7.2.27
Tenable	Tenable.Sc	< 5.19.0
Debian	Debian Linux	8.0
Opensuse	Leap	15.1

Related Weaknesses (CWE)

CWE-281

References

http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00023.htmlThird Party Advisory
https://bugs.php.net/bug.php?id=79082ExploitVendor Advisory
https://lists.debian.org/debian-lts-announce/2020/03/msg00034.htmlThird Party Advisory
https://security.gentoo.org/glsa/202003-57Third Party Advisory
https://usn.ubuntu.com/4330-1/Third Party Advisory
https://www.debian.org/security/2020/dsa-4717Third Party Advisory
https://www.debian.org/security/2020/dsa-4719Third Party Advisory
https://www.tenable.com/security/tns-2021-14PatchThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00023.htmlThird Party Advisory
https://bugs.php.net/bug.php?id=79082ExploitVendor Advisory
https://lists.debian.org/debian-lts-announce/2020/03/msg00034.htmlThird Party Advisory
https://security.gentoo.org/glsa/202003-57Third Party Advisory
https://usn.ubuntu.com/4330-1/Third Party Advisory
https://www.debian.org/security/2020/dsa-4717Third Party Advisory
https://www.debian.org/security/2020/dsa-4719Third Party Advisory

FAQ

What is CVE-2020-7063?

CVE-2020-7063 is a vulnerability with a CVSS score of 5.5 (MEDIUM). In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below 7.4.3, when creating PHAR archive using PharData::buildFromIterator() function, the files are added with default permissions (066...

How severe is CVE-2020-7063?

CVE-2020-7063 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-7063?

Check the references section above for vendor advisories and patch information. Affected products include: Php Php, Tenable Tenable.Sc, Debian Debian Linux, Opensuse Leap.