Description

In PHP versions 7.2.x below 7.2.33, 7.3.x below 7.3.21 and 7.4.x below 7.4.9, while processing PHAR files using phar extension, phar_parse_zipfile could be tricked into accessing freed memory, which could lead to a crash or information disclosure.

Remediation

References

CVE-2020-7068

Related Vulnerabilities

Drupal Core 6.x Multiple Cross-Site Scripting Vulnerabilities (6.0 - 6.14)

Joomla Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2009-1499)

Atlassian Jira Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Vulnerability (CVE-2021-26086)

Atlassian Jira Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2018-13391)

WordPress Plugin wptf-image-gallery Arbitrary File Download (1.0.3)

Severity

Low

Classification

CVE-2020-7068 CWE-416 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:L

Tags

Missing Update Known Vulnerabilities