Unrated severityNVD Advisory· Published Feb 27, 2020· Updated Sep 16, 2024

Files added to tar with Phar::buildFromIterator have all-access permissions

CVE-2020-7063

Description

In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below 7.4.3, when creating PHAR archive using PharData::buildFromIterator() function, the files are added with default permissions (0666, or all access) even if the original files on the filesystem were with more restrictive permissions. This may result in files having more lax permissions than intended when such archive is extracted.

Affected products

Php Group/PHPv5
Range: 7.3.x

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

lists.opensuse.org/opensuse-security-announce/2020-03/msg00023.htmlmitrevendor-advisoryx_refsource_SUSE
security.gentoo.org/glsa/202003-57mitrevendor-advisoryx_refsource_GENTOO
usn.ubuntu.com/4330-1/mitrevendor-advisoryx_refsource_UBUNTU
www.debian.org/security/2020/dsa-4717mitrevendor-advisoryx_refsource_DEBIAN
www.debian.org/security/2020/dsa-4719mitrevendor-advisoryx_refsource_DEBIAN
bugs.php.net/bug.phpmitrex_refsource_MISC
lists.debian.org/debian-lts-announce/2020/03/msg00034.htmlmitremailing-listx_refsource_MLIST
www.tenable.com/security/tns-2021-14mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000