Description
In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below 7.4.3, when creating PHAR archive using PharData::buildFromIterator() function, the files are added with default permissions (0666, or all access) even if the original files on the filesystem were with more restrictive permissions. This may result in files having more lax permissions than intended when such archive is extracted.
References (8)
Core 8
Core References
Exploit, Vendor Advisory x_refsource_misc
https://bugs.php.net/bug.php?id=79082
Third Party Advisory vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00023.html
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/202003-57
Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2020/03/msg00034.html
Third Party Advisory vendor-advisory
x_refsource_ubuntu
https://usn.ubuntu.com/4330-1/
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2020/dsa-4717
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2020/dsa-4719
Patch, Third Party Advisory x_refsource_confirm
https://www.tenable.com/security/tns-2021-14
Scores
CVSS v3
5.5
EPSS
0.0030
EPSS Percentile
53.7%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Details
CWE
CWE-281
Status
published
Products (6)
debian/debian_linux
8.0
debian/debian_linux
9.0
debian/debian_linux
10.0
opensuse/leap
15.1
php/php
7.2.0 - 7.2.27
tenable/tenable.sc
< 5.19.0
Published
Feb 27, 2020
Tracked Since
Feb 18, 2026