Plateforme
php
Composant
php
Corrigé dans
7.2.33
7.3.21
7.4.9
CVE-2020-7068 is a security vulnerability affecting the PHP programming language. This issue arises when processing PHAR files through the phar extension, specifically within the pharparsezipfile function, which can be tricked into accessing freed memory. This can result in a denial of service due to a crash or, more seriously, the potential for information disclosure. The vulnerability impacts PHP versions 7.2.x prior to 7.2.33, 7.3.x prior to 7.3.21, and 7.4.x prior to 7.4.9; a patch is available in PHP 7.4.9.
CVE-2020-7068 in PHP affects versions 7.2.x below 7.2.33, 7.3.x below 7.3.21, and 7.4.x below 7.4.9. This vulnerability lies within the phar extension, specifically in the pharparsezipfile function. An attacker could exploit this by crafting malicious PHAR files that trick pharparsezipfile into accessing freed memory. This could lead to a crash of the application or, more seriously, information disclosure. The vulnerability is rated with a CVSS score of 4.8, indicating a moderate risk that requires prompt attention, particularly in production environments.
The vulnerability is triggered by processing specially crafted malicious PHAR files containing ZIP structures designed to trigger access to freed memory. An attacker could distribute these malicious PHAR files through downloads, email, or even a compromised web server. Exploitation requires the phar extension to be enabled on the PHP server and the application to process PHAR files. The complexity of exploitation is relatively low, as it doesn't require elevated privileges or advanced technical knowledge. The likelihood of exploitation is high, especially on systems running vulnerable PHP versions and processing PHAR files from untrusted sources.
Statut de l'Exploit
EPSS
0.80% (percentile 74%)
Vecteur CVSS
The recommended mitigation for CVE-2020-7068 is to upgrade to a PHP version that includes the fix. Specifically, upgrade to PHP 7.2.33 or higher, PHP 7.3.21 or higher, or PHP 7.4.9 or higher. The upgrade should be performed as soon as possible to reduce the risk of exploitation. If an immediate upgrade is not feasible, consider temporarily disabling the phar extension as a mitigation measure. Additionally, review any PHAR files used in your application to ensure they originate from trusted sources and haven't been tampered with. Thoroughly test your application after the upgrade to verify functionality and that the vulnerability has been resolved.
Actualice a la última versión de PHP. Específicamente, actualice a la versión 7.2.33, 7.3.21 o 7.4.9, o una versión posterior, según corresponda a su rama de PHP.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
A PHAR (PHP Archive) file is a format that allows packaging PHP code and dependencies into a single file. It's similar to a ZIP file, but specifically designed for PHP.
Verify the PHP version you are using. If you are using a version prior to 7.2.33, 7.3.21, or 7.4.9, you are vulnerable. You can check the PHP version by running php -v in the command line.
CVSS (Common Vulnerability Scoring System) is a standard for assessing the severity of vulnerabilities. A score of 4.8 indicates a moderate risk, which requires attention and mitigation.
Yes, disabling the phar extension can be a temporary solution to mitigate the risk, but this may impact the functionality of your application that relies on the extension.
You can find more information about CVE-2020-7068 on the National Vulnerability Database (NVD) website: https://nvd.nist.gov/vuln/detail/CVE-2020-7068
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.