Plataforma
php
Componente
php
Corrigido em
7.2.33
7.3.21
7.4.9
CVE-2020-7068 is a security vulnerability affecting the PHP programming language. This issue arises when processing PHAR files through the phar extension, specifically within the pharparsezipfile function, which can be tricked into accessing freed memory. This can result in a denial of service due to a crash or, more seriously, the potential for information disclosure. The vulnerability impacts PHP versions 7.2.x prior to 7.2.33, 7.3.x prior to 7.3.21, and 7.4.x prior to 7.4.9; a patch is available in PHP 7.4.9.
CVE-2020-7068 in PHP affects versions 7.2.x below 7.2.33, 7.3.x below 7.3.21, and 7.4.x below 7.4.9. This vulnerability lies within the phar extension, specifically in the pharparsezipfile function. An attacker could exploit this by crafting malicious PHAR files that trick pharparsezipfile into accessing freed memory. This could lead to a crash of the application or, more seriously, information disclosure. The vulnerability is rated with a CVSS score of 4.8, indicating a moderate risk that requires prompt attention, particularly in production environments.
The vulnerability is triggered by processing specially crafted malicious PHAR files containing ZIP structures designed to trigger access to freed memory. An attacker could distribute these malicious PHAR files through downloads, email, or even a compromised web server. Exploitation requires the phar extension to be enabled on the PHP server and the application to process PHAR files. The complexity of exploitation is relatively low, as it doesn't require elevated privileges or advanced technical knowledge. The likelihood of exploitation is high, especially on systems running vulnerable PHP versions and processing PHAR files from untrusted sources.
Status do Exploit
EPSS
0.80% (percentil 74%)
Vetor CVSS
The recommended mitigation for CVE-2020-7068 is to upgrade to a PHP version that includes the fix. Specifically, upgrade to PHP 7.2.33 or higher, PHP 7.3.21 or higher, or PHP 7.4.9 or higher. The upgrade should be performed as soon as possible to reduce the risk of exploitation. If an immediate upgrade is not feasible, consider temporarily disabling the phar extension as a mitigation measure. Additionally, review any PHAR files used in your application to ensure they originate from trusted sources and haven't been tampered with. Thoroughly test your application after the upgrade to verify functionality and that the vulnerability has been resolved.
Actualice a la última versión de PHP. Específicamente, actualice a la versión 7.2.33, 7.3.21 o 7.4.9, o una versión posterior, según corresponda a su rama de PHP.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
A PHAR (PHP Archive) file is a format that allows packaging PHP code and dependencies into a single file. It's similar to a ZIP file, but specifically designed for PHP.
Verify the PHP version you are using. If you are using a version prior to 7.2.33, 7.3.21, or 7.4.9, you are vulnerable. You can check the PHP version by running php -v in the command line.
CVSS (Common Vulnerability Scoring System) is a standard for assessing the severity of vulnerabilities. A score of 4.8 indicates a moderate risk, which requires attention and mitigation.
Yes, disabling the phar extension can be a temporary solution to mitigate the risk, but this may impact the functionality of your application that relies on the extension.
You can find more information about CVE-2020-7068 on the National Vulnerability Database (NVD) website: https://nvd.nist.gov/vuln/detail/CVE-2020-7068
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.