Innovate faster and cut risk with PHP experts from Zend Services.
Beginning to advanced PHP classes to learn and earn global certification.
Help me choose >
Submit support requests and browse self-service resources.
CVE-2020-7068 php: Use of freed hash key in the phar_parse_zipfile function
The PHAR extension to PHP has a setting, phar.cache_list, that allows providing a map of PHAR archives to pre-parse at runtime startup, which provides a performance boost when running files out of these archives. However, in PHP versions 7.2.x below 7.2.33, 7.3.x below 7.3.21, and 7.4.x below 7.4.9, a specially crafted PHAR file in that list that uses zip compression could exploit a PHAR parsing issue to access sensitive freed memory data.
Upgrade to PHP 7.2.33 or later, PHP 7.3.21 or later, or 7.4.9 or later, if possible.
If not, and you use the phar.cache_list setting to pre-parse PHAR files, audit your PHAR files, and do not use untrusted PHAR files in your web-facing applications.
Direct link to CVE-2020-7068 >
< View all CVEs