CVE-2020-7063 MEDIUM

CVE-2020-7063: Files added to tar with Phar::buildFromIterator have all-access permissions

Vendor Php Group
Product PHP
Weakness CWE-281
Published February 27, 2020
Last update September 16, 2024

CVSS base score

5.5/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below 7.4.3, when creating PHAR archive using PharData::buildFromIterator() function, the files are added with default permissions (0666, or all access) even if the original files on the filesystem were with more restrictive permissions. This may result in files having more lax permissions than intended when such archive is extracted.

Key dates

02Disclosure timeline

February 27, 2020 CVE published
September 16, 2024 Record updated