CVE-2020-7063Improper Preservation of Permissions in Group PHP

CWE-281Improper Preservation of PermissionsCWE-284Improper Access Control10 documents8 sources
Severity
5.3MEDIUMNVD
CNA5.5OSV7.5
EPSS
0.3%
top 46.38%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
PHP Group PHPTenable Tenable.scPhp5+3 more
Timeline
PublishedFeb 27
Latest updateMay 24

Description

In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below 7.4.3, when creating PHAR archive using PharData::buildFromIterator() function, the files are added with default permissions (0666, or all access) even if the original files on the filesystem were with more restrictive permissions. This may result in files having more lax permissions than intended when such archive is extracted.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages5 packages

CVEListV5php_group/php7.3.x7.3.15+2
NVDtenable/tenable.sc< 5.19.0
Ubuntuphp5/php5< 5.5.9+dfsg-1ubuntu4.29+esm11
NVDphp/php7.2.07.2.27+2
NVDopensuse/leap15.1

Also affects: Debian Linux 10.0, 8.0, 9.0

Patches

Patch: www.tenable.comPatch: www.tenable.com

🔴Vulnerability Details

4
GHSA
GHSA-rm3c-r6h9-r9rg: In PHP versions 72022-05-24
OSV
php5, php7.0, php7.2, php7.3 vulnerabilities2020-04-15
CVEList
Files added to tar with Phar::buildFromIterator have all-access permissions2020-02-27
OSV
CVE-2020-7063: In PHP versions 72020-02-27

📋Vendor Advisories

3
Ubuntu
PHP vulnerabilities2020-04-15
Red Hat
php: Files added to tar with Phar::buildFromIterator have all-access permissions2020-01-08
Debian
CVE-2020-7063: php7.4 - In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below 7.4.3, wh...2020

💬Community

2
Bugzilla
CVE-2020-7063 php: files added to tar with Phar::buildFromIterator have all-access permissions [fedora-all]2020-02-28
Bugzilla
CVE-2020-7063 php: Files added to tar with Phar::buildFromIterator have all-access permissions2020-02-28
CVE-2020-7063 — Improper Preservation of Permissions | cvebase