CVE-2020-7061

In PHP versions 7.3.x below 7.3.15 and 7.4.x below 7.4.3, while extracting PHAR files on Windows using phar extension, certain content inside PHAR file could lead to one-byte read past the allocated buffer. This could potentially lead to information disclosure or crash.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.5 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
phpCNA
6.5 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 83%
VendorProductVersion
phpphp
7.2.0 ≤
𝑥
≤ 7.2.27
phpphp
7.3.0 ≤
𝑥
≤ 7.3.14
phpphp
7.4.0 ≤
𝑥
≤ 7.4.2
tenabletenable.sc
𝑥
< 5.19.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
php7.4
bullseye
7.4.33-1+deb11u5
fixed
bullseye (security)
7.4.33-1+deb11u6
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
php5
eoan
dne
bionic
dne
xenial
dne
trusty
not-affected
php7.0
eoan
dne
bionic
dne
xenial
not-affected
trusty
dne
php7.2
eoan
dne
bionic
not-affected
xenial
dne
trusty
dne
php7.3
eoan
not-affected
bionic
dne
xenial
dne
trusty
dne
php7.4
eoan
dne
bionic
dne
xenial
dne
trusty
dne
Common Weakness Enumeration
References
https://bugs.php.net/bug.php?id=79171
https://security.gentoo.org/glsa/202003-57
https://www.tenable.com/security/tns-2021-14
https://bugs.php.net/bug.php?id=79171
https://security.gentoo.org/glsa/202003-57
https://www.tenable.com/security/tns-2021-14