Innovate faster and cut risk with PHP experts from Zend Services.
Explore Services
Beginning to advanced PHP classes to learn and earn global certification.
Help me choose >
Explore Training
Submit support requests and browse self-service resources.
Explore Support
CVE-2020-7068 php: Use of freed hash key in the phar_parse_zipfile function
The PHAR extension to PHP has a setting, phar.cache_list, that allows providing a map of PHAR archives to pre-parse at runtime startup, which provides a performance boost when running files out of these archives. However, in PHP versions 7.2.x below 7.2.33, 7.3.x below 7.3.21, and 7.4.x below 7.4.9, a specially crafted PHAR file in that list that uses zip compression could exploit a PHAR parsing issue to access sensitive freed memory data.
phar.cache_list
Upgrade to PHP 7.2.33 or later, PHP 7.3.21 or later, or 7.4.9 or later, if possible.
If not, and you use the phar.cache_list setting to pre-parse PHAR files, audit your PHAR files, and do not use untrusted PHAR files in your web-facing applications.
Direct link to CVE-2020-7068 >
< View all CVEs