CVE-2020-7063

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2020-7063
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-7063.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2020-7063
Aliases
Downstream
Related
Published
2020-02-27T21:15:19.117Z
Modified
2026-04-11T12:35:00.134209Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
[none]
Details

In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below 7.4.3, when creating PHAR archive using PharData::buildFromIterator() function, the files are added with default permissions (0666, or all access) even if the original files on the filesystem were with more restrictive permissions. This may result in files having more lax permissions than intended when such archive is extracted.

Database specific 
{
    "unresolved_ranges": [
        {
            "source": "CPE_FIELD",
            "cpe": "cpe:2.3:a:tenable:tenable.sc:*:*:*:*:*:*:*:*",
            "extracted_events": [
                {
                    "fixed": "5.19.0"
                }
            ]
        },
        {
            "source": "CPE_FIELD",
            "cpe": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
            "extracted_events": [
                {
                    "last_affected": "10.0"
                }
            ]
        },
        {
            "source": "CPE_FIELD",
            "cpe": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
            "extracted_events": [
                {
                    "last_affected": "9.0"
                }
            ]
        },
        {
            "source": "CPE_FIELD",
            "cpe": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*",
            "extracted_events": [
                {
                    "last_affected": "15.1"
                }
            ]
        }
    ]
}
References

Affected packages

Git / github.com/php/php-src

Affected ranges

Type
GIT
Repo
https://github.com/php/php-src
Events
Introduced
8148cbb78841c8ec0759c0836e7f35dec799d300
Last affected
40c86aa3af2e25971e9c13460ca874348456410d
Introduced
52ace952a1b65ca80fc2617f11c2fa6dd03f51bd
Last affected
4b2854db6fd2fae5a950ae7ce25257ee08cee916
Introduced
3c7824e16ec4c3cee417262445d2c2b66531c10f
Last affected
264ef4f16300270dd4e92d2510660836a4814579
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
5dc92c2117cafc61daaaaa240fd46c3ac33872a4
Database specific 
{
    "source": "CPE_FIELD",
    "cpe": [
        "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*",
        "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*"
    ],
    "extracted_events": [
        {
            "introduced": "7.2.0"
        },
        {
            "last_affected": "7.2.27"
        },
        {
            "introduced": "7.3.0"
        },
        {
            "last_affected": "7.3.14"
        },
        {
            "introduced": "7.4.0"
        },
        {
            "last_affected": "7.4.2"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "8.0"
        }
    ]
}

Affected versions

Other
POST_64BIT_BRANCH_MERGE
POST_AST_MERGE
POST_PHP7_NSAPI_REMOVAL
POST_PHP7_REMOVALS
POST_PHPNG_MERGE
PRE_64BIT_BRANCH_MERGE
PRE_AST_MERGE
PRE_PHP7_EREG_MYSQL_REMOVALS
PRE_PHP7_NSAPI_REMOVAL
PRE_PHP7_REMOVALS
php-7.*
php-7.2.27
php-7.3.14
php-7.3.14RC1
php-7.4.2
php-8.*
php-8.0.0

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-7063.json"