CVE-2020-7068

MEDIUM

PHP 7.2.0-7.2.32, 7.3.0-7.3.20, 7.4.0-7.4.8 - Use-After-Free in PHAR File Processing

Title source: llm
STIX 2.1

Description

In PHP versions 7.2.x below 7.2.33, 7.3.x below 7.3.21 and 7.4.x below 7.4.9, while processing PHAR files using phar extension, phar_parse_zipfile could be tricked into accessing freed memory, which could lead to a crash or information disclosure.

References (5)

Core 5
Core References
Exploit, Mailing List, Patch, Vendor Advisory x_refsource_misc
https://bugs.php.net/bug.php?id=79797
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/202009-10
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20200918-0005/
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2021/dsa-4856
Patch, Third Party Advisory x_refsource_confirm
https://www.tenable.com/security/tns-2021-14

Scores

CVSS v3 4.8
EPSS 0.0080
EPSS Percentile 74.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L

Details

CWE
CWE-416
Status published
Products (3)
debian/debian_linux 10.0
php/php 7.2.0 - 7.2.33
tenable/tenable.sc < 5.19.0
Published Sep 09, 2020
Tracked Since Feb 18, 2026