CVE-2020-7061

EUVD-2020-28195
In PHP versions 7.3.x below 7.3.15 and 7.4.x below 7.4.3, while extracting PHAR files on Windows using phar extension, certain content inside PHAR file could lead to one-byte read past the allocated buffer. This could potentially lead to information disclosure or crash.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.5 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
phpCNA
6.5 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 83%
Affected Products (NVD)
VendorProductVersion
phpphp
7.2.0 ≤
𝑥
≤ 7.2.27
phpphp
7.3.0 ≤
𝑥
≤ 7.3.14
phpphp
7.4.0 ≤
𝑥
≤ 7.4.2
tenabletenable.sc
𝑥
< 5.19.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
php7.4
bullseye
7.4.33-1+deb11u5
fixed
bullseye (security)
7.4.33-1+deb11u6
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
php5
bionic
dne
eoan
dne
trusty
not-affected
xenial
dne
php7.0
bionic
dne
eoan
dne
trusty
dne
xenial
not-affected
php7.2
bionic
not-affected
eoan
dne
trusty
dne
xenial
dne
php7.3
bionic
dne
eoan
not-affected
trusty
dne
xenial
dne
php7.4
bionic
dne
eoan
dne
trusty
dne
xenial
dne
Common Weakness Enumeration
References
https://bugs.php.net/bug.php?id=79171
https://security.gentoo.org/glsa/202003-57
https://www.tenable.com/security/tns-2021-14
https://bugs.php.net/bug.php?id=79171
https://security.gentoo.org/glsa/202003-57
https://www.tenable.com/security/tns-2021-14