VYPR
Unrated severityNVD Advisory· Published Feb 27, 2020· Updated Sep 16, 2024

Files added to tar with Phar::buildFromIterator have all-access permissions

CVE-2020-7063

Description

In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below 7.4.3, when creating PHAR archive using PharData::buildFromIterator() function, the files are added with default permissions (0666, or all access) even if the original files on the filesystem were with more restrictive permissions. This may result in files having more lax permissions than intended when such archive is extracted.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

63

Patches

Vulnerability mechanics

References

8

News mentions

0

No linked articles in our index yet.