Lucene search

[email protected]CVE-2020-7061

HistoryFeb 27, 2020 - 9:15 p.m.

CVE-2020-7061

2020-02-2721:15:18

CWE-125

[email protected]

web.nvd.nist.gov

389

cve-2020-7061

php

version 7.3

version 7.4

phar file

windows

information disclosure

buffer overflow

nvd

6.4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:N/A:P

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

8.6 High

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

72.2%

JSON

In PHP versions 7.3.x below 7.3.15 and 7.4.x below 7.4.3, while extracting PHAR files on Windows using phar extension, certain content inside PHAR file could lead to one-byte read past the allocated buffer. This could potentially lead to information disclosure or crash.

Affected configurations

NVD

Node

phpphpRange7.2.0–7.2.27

phpphpRange7.3.0–7.3.14

phpphpRange7.4.0–7.4.2

AND

microsoftwindowsMatch-

Node

tenabletenable.scRange<5.19.0

CPENameOperatorVersion
php:phpphple7.2.27
php:phpphple7.3.14
php:phpphple7.4.2

CPE	Name	Operator	Version
php:php	php	le	7.2.27
php:php	php	le	7.3.14
php:php	php	le	7.4.2

CNA Affected

[
  {
    "platforms": [
      "Windows"
    ],
    "product": "PHP",
    "vendor": "PHP Group",
    "versions": [
      {
        "lessThan": "7.3.15",
        "status": "affected",
        "version": "7.3.x",
        "versionType": "custom"
      },
      {
        "lessThan": "7.4.3",
        "status": "affected",
        "version": "7.4.x",
        "versionType": "custom"
      }
    ]
  }
]