CVE-2020-7068 | Zend by Perforce

CVE-2020-7068 php: Use of freed hash key in the phar_parse_zipfile function

Publication Date	2020-08-06
Severity	Low
Type	Information Disclosure
Affected PHP Versions	5.6.0 - 5.6.40 7.0.0 - 7.0.33 7.1.0 - 7.1.33 7.2.0 - 7.2.32 7.3.0 - 7.3.20 7.4.0 - 7.4.8
Fixed Product Versions	ZendPHP 5.6 ZendPHP 7.1 ZendPHP 7.2 ZendPHP 7.3 ZendPHP 7.4 ZendServer 2019.0.5

CVE Details

The PHAR extension to PHP has a setting, phar.cache_list, that allows providing a map of PHAR archives to pre-parse at runtime startup, which provides a performance boost when running files out of these archives. However, in PHP versions 7.2.x below 7.2.33, 7.3.x below 7.3.21, and 7.4.x below 7.4.9, a specially crafted PHAR file in that list that uses zip compression could exploit a PHAR parsing issue to access sensitive freed memory data.

Recommendations

Upgrade to PHP 7.2.33 or later, PHP 7.3.21 or later, or 7.4.9 or later, if possible.

If not, and you use the phar.cache_list setting to pre-parse PHAR files, audit your PHAR files, and do not use untrusted PHAR files in your web-facing applications.

< View all CVEs