CVE-2020-7063

Advisory lineage Upstream: 0 Downstream: 16

Downstream

DEBIAN-CVE-2020-7063 DLA-2160-1 DSA-4717-1 DSA-4719-1 MGASA-2020-0119 OPENSUSE-SU-2020:0341-1

Modified

Published: 27 Feb 2020, 20:25

Last modified:16 Sept 2024, 16:49

Vulnerability Summary

Overall Risk (default)

medium

32/100

CVSS Score

5.5 MEDIUM

v3.1 (cve.org)

EPSS Score

0.3% LOW

0% probability 0.00%

KEV

Not listed

Ransomware

No reports

Public exploits

1 found

Dark Web

Not detected

Timeline

27 Feb 2020, 20:25

Published

Vulnerability first disclosed

16 Sept 2024, 16:49

Last Modified

Vulnerability information updated

Description

In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below 7.4.3, when creating PHAR archive using PharData::buildFromIterator() function, the files are added with default permissions (0666, or all access) even if the original files on the filesystem were with more restrictive permissions. This may result in files having more lax permissions than intended when such archive is extracted.

CVSS Metrics

v3.1•MEDIUM•Score: 5.5CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
v3.1•MEDIUM•Score: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
v2.0•MEDIUM•Score: 5AV:N/AC:L/Au:N/C:N/I:P/A:N

EPSS Trends

Current EPSS score: 0.30%• Percentile: 54%

Techniques & Countermeasures

CWE-281•Improper Preservation of Permissions
The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.

Affected Systems

debian•debian_linux
8.0 | 9.0 | 10.0
opensuse•leap
15.1
Unknown•PHP
≥ 7.3.x, < 7.3.15 | ≥ 7.4.x, < 7.4.3 | ≥ 7.2.x, < 7.2.28
Unknown•PHP
≥ 7.2.0, ≤ 7.2.27 | ≥ 7.3.0, ≤ 7.3.14 | ≥ 7.4.0, ≤ 7.4.2
tenable•tenable.sc
< 5.19.0