Fluid Attacks Database

Description

In PHP versions 7.2.x below 7.2.33, 7.3.x below 7.3.21 and 7.4.x below 7.4.9, while processing PHAR files using phar extension, phar_parse_zipfile could be tricked into accessing freed memory, which could lead to a crash or information disclosure.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	php7.4	>=0 <7.4.9-1	7.4.9-1
rpm rhel5	php	-	-
rpm rhel6	php	-	-
rpm rhel7	php	-	-
rpm rhel8	php	-	-
rpm rhel5	php53	-	-

Aliases

1. CVE-2020-70682. NVD-2020-70683. OSV-DEBIAN-2020-70684. OSV-2020-70685. SECURITY-TRACKER-CVE-2020-7068

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.