openSUSE-SU-2020:0341

https://bugs.php.net/bug.php?id=79221

[debian-lts-announce] 20200326 [SECURITY] [DLA 2160-1] php5 security update

GLSA-202003-57

USN-4330-1

DSA-4717

DSA-4719

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2020-3662 advisory.

  - Function iconv_mime_decode_headers() in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x     below 7.3.6 may perform out-of-buffer read due to integer overflow when parsing MIME headers. This may     lead to information disclosure or crash. (CVE-2019-11039)

  - When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in     PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6 it is possible to supply it with     data what will cause it to read past the allocated buffer. This may lead to information disclosure or     crash. (CVE-2019-11040)

  - When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in     PHP versions 7.1.x below 7.1.31, 7.2.x below 7.2.21 and 7.3.x below 7.3.8 it is possible to supply it with     data what will cause it to read past the allocated buffer. This may lead to information disclosure or     crash. (CVE-2019-11041, CVE-2019-11042)

  - In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP DirectoryIterator class accepts     filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security     vulnerabilities, e.g. in applications checking paths that the code is allowed to access. (CVE-2019-11045)

  - When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in     PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with data what     will cause it to read past the allocated buffer. This may lead to information disclosure or crash.
    (CVE-2019-11047, CVE-2019-11050)

  - In PHP versions 7.2.x below 7.2.31, 7.3.x below 7.3.18 and 7.4.x below 7.4.6, when HTTP file uploads are     allowed, supplying overly long filenames or field names could lead PHP engine to try to allocate oversized     memory storage, hit the memory limit and stop processing the request, without cleaning up temporary files     created by upload request. This potentially could lead to accumulation of uncleaned temporary files     exhausting the disk space on the target server. (CVE-2019-11048)

  - A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 allows attackers to potentially cause     information disclosure, denial of service, or possibly code execution by providing a crafted regular     expression. The attacker provides a pair of a regex pattern and a string, with a multi-byte encoding that     gets handled by onig_new_deluxe(). Oniguruma issues often affect Ruby, as well as common optional     libraries for PHP and Rust. (CVE-2019-13224)

  - A NULL Pointer Dereference in match_at() in regexec.c in Oniguruma 6.9.2 allows attackers to potentially     cause denial of service by providing a crafted regular expression. Oniguruma issues often affect Ruby, as     well as common optional libraries for PHP and Rust. (CVE-2019-13225)

  - Oniguruma before 6.9.3 allows Stack Exhaustion in regcomp.c because of recursion in regparse.c.
    (CVE-2019-16163)

  - An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the function gb18030_mbc_enc_len in file     gb18030.c, a UChar pointer is dereferenced without checking if it passed the end of the matched string.
    This leads to a heap-based buffer over-read. (CVE-2019-19203)

  - An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the function fetch_interval_quantifier     (formerly known as fetch_range_quantifier) in regparse.c, PFETCH is called without checking PEND. This     leads to a heap-based buffer over-read. (CVE-2019-19204)

  - Oniguruma through 6.9.3, as used in PHP 7.3.x and other products, has a heap-based buffer over-read in     str_lower_case_match in regexec.c. (CVE-2019-19246)

  - An out-of-bounds read was discovered in PCRE before 10.34 when the pattern \X is JIT compiled and used to     match specially crafted subjects in non-UTF mode. Applications that use PCRE to parse untrusted input may     be vulnerable to this flaw, which would allow an attacker to crash the application. The flaw occurs in     do_extuni_no_utf in pcre2_jit_compile.c. (CVE-2019-20454)

  - When using fgetss() function to read data with stripping tags, in PHP versions 7.2.x below 7.2.27, 7.3.x     below 7.3.14 and 7.4.x below 7.4.2 it is possible to supply data that will cause this function to read     past the allocated buffer. This may lead to information disclosure or crash. (CVE-2020-7059)

  - When using certain mbstring functions to convert multibyte encodings, in PHP versions 7.2.x below 7.2.27,     7.3.x below 7.3.14 and 7.4.x below 7.4.2 it is possible to supply data that will cause function     mbfl_filt_conv_big5_wchar to read past the allocated buffer. This may lead to information disclosure or     crash. (CVE-2020-7060)

  - In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below 7.4.3, when using file upload     functionality, if upload progress tracking is enabled, but session.upload_progress.cleanup is set to 0     (disabled), and the file upload fails, the upload procedure would try to clean up data that does not exist     and encounter null pointer dereference, which would likely lead to a crash. (CVE-2020-7062)

  - In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below 7.4.3, when creating PHAR archive     using PharData::buildFromIterator() function, the files are added with default permissions (0666, or all     access) even if the original files on the filesystem were with more restrictive permissions. This may     result in files having more lax permissions than intended when such archive is extracted. (CVE-2020-7063)

  - In PHP versions 7.2.x below 7.2.9, 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while parsing EXIF data with     exif_read_data() function, it is possible for malicious data to cause PHP to read one byte of     uninitialized memory. This could potentially lead to information disclosure or crash. (CVE-2020-7064)

  - In PHP versions 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while using mb_strtolower() function with     UTF-32LE encoding, certain invalid strings could cause PHP to overwrite stack-allocated buffer. This could     lead to memory corruption, crashes and potentially code execution. (CVE-2020-7065)

  - In PHP versions 7.2.x below 7.2.29, 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while using get_headers()     with user-supplied URL, if the URL contains zero (\0) character, the URL will be silently truncated at it.
    This may cause some software to make incorrect assumptions about the target of the get_headers() and     possibly send some information to a wrong server. (CVE-2020-7066)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:3662 advisory.

  - php: Out-of-bounds read due to integer overflow in iconv_mime_decode_headers() (CVE-2019-11039)

  - php: Buffer over-read in exif_read_data() (CVE-2019-11040)

  - php: Heap buffer over-read in exif_scan_thumbnail() (CVE-2019-11041)

  - php: Heap buffer over-read in exif_process_user_comment() (CVE-2019-11042)

  - php: DirectoryIterator class accepts filenames with embedded \0 byte and treats them as terminating at     that byte (CVE-2019-11045)

  - php: Information disclosure in exif_read_data() (CVE-2019-11047)

  - php: Integer wraparounds when receiving multipart forms (CVE-2019-11048)

  - php: Out of bounds read when parsing EXIF information (CVE-2019-11050)

  - oniguruma: Use-after-free in onig_new_deluxe() in regext.c (CVE-2019-13224)

  - oniguruma: NULL pointer dereference in match_at() in regexec.c (CVE-2019-13225)

  - oniguruma: Stack exhaustion in regcomp.c because of recursion in regparse.c (CVE-2019-16163)

  - oniguruma: Heap-based buffer over-read in function gb18030_mbc_enc_len in file gb18030.c (CVE-2019-19203)

  - oniguruma: Heap-based buffer over-read in function fetch_interval_quantifier in regparse.c     (CVE-2019-19204)

  - oniguruma: Heap-based buffer overflow in str_lower_case_match in regexec.c (CVE-2019-19246)

  - pcre: Out of bounds read in JIT mode when \X is used in non-UTF mode (CVE-2019-20454)

  - php: Out of bounds read in php_strip_tags_ex (CVE-2020-7059)

  - php: Global buffer-overflow in mbfl_filt_conv_big5_wchar function (CVE-2020-7060)

  - php: NULL pointer dereference in PHP session upload progress (CVE-2020-7062)

  - php: Files added to tar with Phar::buildFromIterator have all-access permissions (CVE-2020-7063)

  - php: Information disclosure in exif_read_data() function (CVE-2020-7064)

  - php: Using mb_strtolower() function with UTF-32LE encoding leads to potential code execution     (CVE-2020-7065)

  - php: Information disclosure in function get_headers (CVE-2020-7066)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to the versions of the php packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - In PHP versions 7.2.x below 7.2.30, 7.3.x below 7.3.17     and 7.4.x below 7.4.5, if PHP is compiled with EBCDIC     support (uncommon), urldecode() function can be made to     access locations past the allocated memory, due to     erroneously using signed numbers as array     indexes.(CVE-2020-7067)

  - In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15     and 7.4.x below 7.4.3, when using file upload     functionality, if upload progress tracking is enabled,     but session.upload_progress.cleanup is set to 0     (disabled), and the file upload fails, the upload     procedure would try to clean up data that does not     exist and encounter null pointer dereference, which     would likely lead to a crash.(CVE-2020-7062)

  - When using certain mbstring functions to convert     multibyte encodings, in PHP versions 7.2.x below     7.2.27, 7.3.x below 7.3.14 and 7.4.x below 7.4.2 it is     possible to supply data that will cause function     mbfl_filt_conv_big5_wchar to read past the allocated     buffer. This may lead to information disclosure or     crash.(CVE-2020-7060)

  - When using fgetss() function to read data with     stripping tags, in PHP versions 7.2.x below 7.2.27,     7.3.x below 7.3.14 and 7.4.x below 7.4.2 it is possible     to supply data that will cause this function to read     past the allocated buffer. This may lead to information     disclosure or crash.(CVE-2020-7059)

  - University of Washington IMAP Toolkit 2007f on UNIX, as     used in imap_open() in PHP and other products, launches     an rsh command (by means of the imap_rimap function in     c-client/imap4r1.c and the tcp_aopen function in     osdep/unix/tcp_unix.c) without preventing argument     injection, which might allow remote attackers to     execute arbitrary OS commands if the IMAP server name     is untrusted input (e.g., entered by a user of a web     application) and if rsh has been replaced by a program     with different argument semantics. For example, if rsh     is a link to ssh (as seen on Debian and Ubuntu     systems), then the attack can use an IMAP server name     containing a '-oProxyCommand' argument.(CVE-2018-19518)

  - ext/standard/var_unserializer.c in PHP 5.x through     7.1.24 allows attackers to cause a denial of service     (application crash) via an unserialize call for the     com, dotnet, or variant class.(CVE-2018-19396)

  - In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15     and 7.4.x below 7.4.3, when creating PHAR archive using     PharData::buildFromIterator() function, the files are     added with default permissions (0666, or all access)     even if the original files on the filesystem were with     more restrictive permissions. This may result in files     having more lax permissions than intended when such     archive is extracted.(CVE-2020-7063)

  - In PHP versions 7.2.x below 7.2.31, 7.3.x below 7.3.18     and 7.4.x below 7.4.6, when HTTP file uploads are     allowed, supplying overly long filenames or field names     could lead PHP engine to try to allocate oversized     memory storage, hit the memory limit and stop     processing the request, without cleaning up temporary     files created by upload request. This potentially could     lead to accumulation of uncleaned temporary files     exhausting the disk space on the target     server.(CVE-2019-11048)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the php packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15     and 7.4.x below 7.4.3, when creating PHAR archive using     PharData::buildFromIterator() function, the files are     added with default permissions (0666, or all access)     even if the original files on the filesystem were with     more restrictive permissions. This may result in files     having more lax permissions than intended when such     archive is extracted.(CVE-2020-7063)

  - In PHP versions 7.2.x below 7.2.31, 7.3.x below 7.3.18     and 7.4.x below 7.4.6, when HTTP file uploads are     allowed, supplying overly long filenames or field names     could lead PHP engine to try to allocate oversized     memory storage, hit the memory limit and stop     processing the request, without cleaning up temporary     files created by upload request. This potentially could     lead to accumulation of uncleaned temporary files     exhausting the disk space on the target     server.(CVE-2019-11048)

  - University of Washington IMAP Toolkit 2007f on UNIX, as     used in imap_open() in PHP and other products, launches     an rsh command (by means of the imap_rimap function in     c-client/imap4r1.c and the tcp_aopen function in     osdep/unix/tcp_unix.c) without preventing argument     injection, which might allow remote attackers to     execute arbitrary OS commands if the IMAP server name     is untrusted input (e.g., entered by a user of a web     application) and if rsh has been replaced by a program     with different argument semantics. For example, if rsh     is a link to ssh (as seen on Debian and Ubuntu     systems), then the attack can use an IMAP server name     containing a '-oProxyCommand' argument.(CVE-2018-19518)

  - ext/standard/var_unserializer.c in PHP 5.x through     7.1.24 allows attackers to cause a denial of service     (application crash) via an unserialize call for the     com, dotnet, or variant class.(CVE-2018-19396)

  - When using certain mbstring functions to convert     multibyte encodings, in PHP versions 7.2.x below     7.2.27, 7.3.x below 7.3.14 and 7.4.x below 7.4.2 it is     possible to supply data that will cause function     mbfl_filt_conv_big5_wchar to read past the allocated     buffer. This may lead to information disclosure or     crash.(CVE-2020-7060)

  - When using fgetss() function to read data with     stripping tags, in PHP versions 7.2.x below 7.2.27,     7.3.x below 7.3.14 and 7.4.x below 7.4.2 it is possible     to supply data that will cause this function to read     past the allocated buffer. This may lead to information     disclosure or crash.(CVE-2020-7059)

  - In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15     and 7.4.x below 7.4.3, when using file upload     functionality, if upload progress tracking is enabled,     but session.upload_progress.cleanup is set to 0     (disabled), and the file upload fails, the upload     procedure would try to clean up data that does not     exist and encounter null pointer dereference, which     would likely lead to a crash.(CVE-2020-7062)

  - In PHP versions 7.2.x below 7.2.30, 7.3.x below 7.3.17     and 7.4.x below 7.4.5, if PHP is compiled with EBCDIC     support (uncommon), urldecode() function can be made to     access locations past the allocated memory, due to     erroneously using signed numbers as array     indexes.(CVE-2020-7067)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple security issues were found in PHP, a widely-used open source general purpose scripting language which could result in information disclosure, denial of service or potentially the execution of arbitrary code.

It was discovered that PHP incorrectly handled certain file uploads.
An attacker could possibly use this issue to cause a crash.
(CVE-2020-7062)

It was discovered that PHP incorrectly handled certain PHAR archive files. An attacker could possibly use this issue to access sensitive information. (CVE-2020-7063)

It was discovered that PHP incorrectly handled certain EXIF files. An attacker could possibly use this issue to access sensitive information or cause a crash. (CVE-2020-7064)

It was discovered that PHP incorrectly handled certain UTF strings. An attacker could possibly use this issue to cause a crash or execute arbitrary code. This issue only affected Ubuntu 19.10. (CVE-2020-7065)

It was discovered that PHP incorrectly handled certain URLs. An attacker could possibly use this issue to expose sensitive information. This issue only affected Ubuntu 14.04 ESM, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS and Ubuntu 19.10. (CVE-2020-7066).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-202003-57 (PHP: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in PHP. Please review the       CVE identifiers referenced below for details.
  Impact :

    An attacker could possibly execute arbitrary shell commands, cause a       Denial of Service condition or obtain sensitive information.
  Workaround :

    There is no known workaround at this time.

Two security issues have been identified and fixed in php5, a server-side, HTML-embedded scripting language.

CVE-2020-7062 is about a possible NULL pointer derefernce, which would likely lead to a crash, during a failed upload with progress tracking.
CVE-2020-7063 is about wrong file permissions of files added to tar with Phar::buildFromIterator when extracting them again.

For Debian 8 'Jessie', these problems have been fixed in version 5.6.40+dfsg-0+deb8u10.

We recommend that you upgrade your php5 packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for php7 fixes the following issues :

  - CVE-2020-7062: Fixed a NULL pointer dereference when     using file upload functionality under specific     circumstances (bsc#1165280).

  - CVE-2020-7063: Fixed an issue where adding files change     the permissions to default (bsc#1165289).

  - CVE-2020-7059: Fixed an out of bounds read in     php_strip_tags_ex which may have led to denial of     service (bsc#1162629).

  - CVE-2020-7060: Fixed a global buffer overflow in     mbfl_filt_conv_big5_wchar which may have led to memory     corruption (bsc#1162632). 

This update was imported from the SUSE:SLE-15:Update update project.

In PHP versions 7.3.x below 7.3.15 and 7.4.x below 7.4.3, while extracting PHAR files on Windows using phar extension, certain content inside PHAR file could lead to one-byte read past the allocated buffer. This could potentially lead to information disclosure or crash. (CVE-2020-7061)

In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below 7.4.3, when using file upload functionality, if upload progress tracking is enabled, but session.upload_progress.cleanup is set to 0 (disabled), and the file upload fails, the upload procedure would try to clean up data that does not exist and encounter NULL pointer dereference, which would likely lead to a crash. (CVE-2020-7062)

In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below 7.4.3, when creating PHAR archive using PharData::buildFromIterator() function, the files are added with default permissions (0666, or all access) even if the original files on the filesystem were with more restrictive permissions. This may result in files having more lax permissions than intended when such archive is extracted.
(CVE-2020-7063)

This update for php5 fixes the following issues :

CVE-2020-7062: Fixed a NULL pointer dereference when using file upload functionality under specific circumstances (bsc#1165280).

CVE-2020-7063: Fixed an issue where adding files change the permissions to default (bsc#1165289).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for php72 fixes the following issues :

CVE-2020-7062: Fixed a NULL pointer dereference when using file upload functionality under specific circumstances (bsc#1165280).

CVE-2020-7063: Fixed an issue where adding files change the permissions to default (bsc#1165289).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for php7 fixes the following issues :

CVE-2020-7062: Fixed a NULL pointer dereference when using file upload functionality under specific circumstances (bsc#1165280).

CVE-2020-7063: Fixed an issue where adding files change the permissions to default (bsc#1165289).

CVE-2020-7059: Fixed an out of bounds read in php_strip_tags_ex which may have led to denial of service (bsc#1162629).

CVE-2020-7060: Fixed a global buffer overflow in mbfl_filt_conv_big5_wchar which may have led to memory corruption (bsc#1162632).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to its banner, the version of PHP running on the remote web server is either 7.2.x prior to 7.2.28, 7.3.x prior to 7.3.15, or 7.4.x prior to 7.4.3. It is, therefore, affected by multiple vulnerabilities:

  - A heap-based buffer overflow condition exists in phar_extract_file()     function due to incorrect loop termination. An unauthenticated, remote     attacker can exploit this to cause a denial of service condition or the     execution of arbitrary code. (CVE-2020-7061)

  - A denial of service (DoS) vulnerability exists in PHP SessionUpload     Progress functions due to Null Pointer Dereference. An unauthenticated,     remote attacker can exploit this issue to cause the php service to stop     responding. (CVE-2020-7062)     
 - An Insecure File Permissions on the buildFromIterator function gives all     access permission to Tar files. (CVE-2020-7063)

**PHP version 7.3.15** (20 Feb 2020)

**Core:**

  - Fixed bug php#71876 (Memory corruption     htmlspecialchars(): charset `*' not supported). (Nikita)

  - Fixed bug #php#79146 (cscript can fail to run on some     systems). (clarodeus)

  - Fixed bug php#78323 (Code 0 is returned on invalid     options). (Ivan Mikheykin)

  - Fixed bug php#76047 (Use-after-free when accessing     already destructed backtrace arguments). (Nikita)

**CURL:**

  - Fixed bug php#79078 (Hypothetical use-after-free in     curl_multi_add_handle()). (cmb)

**Intl:**

  - Fixed bug php#79212 (NumberFormatter::format() may     detect wrong type). (cmb)

**Libxml:**

  - Fixed bug php#79191 (Error in SoapClient ctor disables     DOMDocument::save()). (Nikita, cmb)

**MBString:**

  - Fixed bug php#79154 (mb_convert_encoding() can modify     $from_encoding). (cmb)

**MySQLnd:**

  - Fixed bug php#79084 (mysqlnd may fetch wrong column     indexes with MYSQLI_BOTH). (cmb)

**OpenSSL:**

  - Fixed bug php#79145 (openssl memory leak). (cmb, Nikita)

**Phar:**

  - Fixed bug php#79082 (Files added to tar with     Phar::buildFromIterator have all-access permissions).
    (**CVE-2020-7063**) (stas)

  - Fixed bug php#79171 (heap-buffer-overflow in     phar_extract_file). (**CVE-2020-7061**) (cmb)

  - Fixed bug php#76584 (PharFileInfo::decompress not     working). (cmb)

**Reflection:**

  - Fixed bug php#79115 (ReflectionClass::isCloneable call     reflected class __destruct). (Nikita)

**Session:**

  - Fixed bug php#79221 (NULL pointer Dereference in PHP     Session Upload Progress). (**CVE-2020-7062**) (stas)

**SPL:**

  - Fixed bug php#79151 (heap use after free caused by     spl_dllist_it_helper_move_forward). (Nikita)

**Standard:**

  - Fixed bug php#78902 (Memory leak when using     stream_filter_append). (liudaixiao)

**Testing:**

  - Fixed bug php#78090 (bug45161.phpt takes forever to     finish). (cmb)

**XSL:**

  - Fixed bug php#70078 (XSL callbacks with nodes as     parameter leak memory). (cmb)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to its banner, the version of PHP running on the remote web server is prior to 7.2.28, 7.3.x prior to 7.3.15, or 7.4.x prior to 7.4.3. It is, therefore, affected by multiple vulnerabilities:

 - A heap buffer overflow exists in phar_extract_file. (CVE-2020-7061)

 - A null pointer dereference exists in PHP session upload progress. (CVE-2020-7062)

 - A file permissions bypass exists when files are added to tar with Phar::buildFromIterator. (CVE-2020-7063)

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
140482	Oracle Linux 8 : php:7.3 (ELSA-2020-3662)	Nessus	Oracle Linux Local Security Checks	high
140396	RHEL 8 : php:7.3 (RHSA-2020:3662)	Nessus	Red Hat Local Security Checks	high
139998	EulerOS Virtualization for ARM 64 3.0.6.0 : php (EulerOS-SA-2020-1895)	Nessus	Huawei Local Security Checks	high
139151	EulerOS 2.0 SP8 : php (EulerOS-SA-2020-1821)	Nessus	Huawei Local Security Checks	high
138225	Debian DSA-4719-1 : php7.3 - security update	Nessus	Debian Local Security Checks	medium
138106	Debian DSA-4717-1 : php7.0 - security update	Nessus	Debian Local Security Checks	medium
135672	Ubuntu 16.04 LTS / 18.04 LTS / 19.10 : PHP vulnerabilities (USN-4330-1)	Nessus	Ubuntu Local Security Checks	medium
134965	GLSA-202003-57 : PHP: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
134955	Debian DLA-2160-1 : php5 security update	Nessus	Debian Local Security Checks	medium
134618	openSUSE Security Update : php7 (openSUSE-2020-341)	Nessus	SuSE Local Security Checks	medium
134573	Amazon Linux AMI : php73 (ALAS-2020-1351)	Nessus	Amazon Linux Local Security Checks	medium
134572	Amazon Linux AMI : php72 (ALAS-2020-1350)	Nessus	Amazon Linux Local Security Checks	medium
134560	SUSE SLES12 Security Update : php5 (SUSE-SU-2020:0658-1)	Nessus	SuSE Local Security Checks	medium
134441	SUSE SLES12 Security Update : php72 (SUSE-SU-2020:0647-1)	Nessus	SuSE Local Security Checks	medium
134365	SUSE SLED15 / SLES15 Security Update : php7 (SUSE-SU-2020:0622-1)	Nessus	SuSE Local Security Checks	medium
134162	PHP 7.2.x < 7.2.28 / PHP 7.3.x < 7.3.15 / 7.4.x < 7.4.3 Multiple Vulnerabilities	Nessus	CGI abuses	medium
134133	Fedora 30 : php (2020-4ea970ebc6)	Nessus	Fedora Local Security Checks	medium
134132	Fedora 31 : php (2020-32f9a2b308)	Nessus	Fedora Local Security Checks	medium
98975	PHP 7.2.x < 7.2.28 Multiple Vulnerabilities	Web Application Scanning	Component Vulnerability	medium
98974	PHP 7.3.x < 7.3.15 Multiple Vulnerabilities	Web Application Scanning	Component Vulnerability	medium
98973	PHP 7.4.x < 7.4.3 Multiple Vulnerabilities	Web Application Scanning	Component Vulnerability	medium

CVE-2020-7062

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins