Innovate faster and cut risk with PHP experts from Zend Services.
Explore Services
See How Zend Helps Leading Hosting Providers Keep Their Managed Sites on Secure PHP
Read More
Learn PHP from PHP experts with free, on-demand, and instructor led courses.
Explore Training
Submit support requests and browse self-service resources.
Explore Support
CVE-2020-7068 php: Use of freed hash key in the phar_parse_zipfile function
The PHAR extension to PHP has a setting, phar.cache_list, that allows providing a map of PHAR archives to pre-parse at runtime startup, which provides a performance boost when running files out of these archives. However, in PHP versions 7.2.x below 7.2.33, 7.3.x below 7.3.21, and 7.4.x below 7.4.9, a specially crafted PHAR file in that list that uses zip compression could exploit a PHAR parsing issue to access sensitive freed memory data.
phar.cache_list
Upgrade to PHP 7.2.33 or later, PHP 7.3.21 or later, or 7.4.9 or later, if possible.
If not, and you use the phar.cache_list setting to pre-parse PHAR files, audit your PHAR files, and do not use untrusted PHAR files in your web-facing applications.
Direct link to CVE-2020-7068 >
< View all CVEs
