Security Bulletin: IBM API Connect is vulnerable to vulnerabilities in PHP (CVE-2020-7061, CVE-2020-7062, CVE-2020-7063)

2020-05-1117:36:06

www.ibm.com

EPSS

0.007

Percentile

80.8%

JSON

Summary

IBM API Connect has addressed the following vulnerability.

Vulnerability Details

CVEID:CVE-2020-7061
**DESCRIPTION:**PHP could allow a remote attacker to obtain sensitive information, caused by an error while extracting PHAR files on Windows using phar extension. An attacker could exploit this vulnerability to trigger a one-byte read past the allocated buffer to obtain sensitive information or cause the application to crash.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/177008 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)

CVEID:CVE-2020-7062
**DESCRIPTION:**PHP is vulnerable to a denial of service, caused by a NULL pointer dereference in PHP session upload progress. By using file upload functionality, an attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/177007 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2020-7063
**DESCRIPTION:**PHP could allow a remote attacker to obtain sensitive information. The files are added with 0666 default permissions when creating PHAR archive using PharData::buildFromIterator() function. This results in files having more lax permissions than intended. An attacker could exploit this vulnerability to gain access to the system.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/177006 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)