CVE-2020-7063
Files added to tar with Phar::buildFromIterator have all-access permissions
In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below 7.4.3, when creating PHAR archive using PharData::buildFromIterator() function, the files are added with default permissions (0666, or all access) even if the original files on the filesystem were with more restrictive permissions. This may result in files having more lax permissions than intended when such archive is extracted.
We have discovered 597,107 live websites that are affected by CVE-2020-7063.
Affected Software
| Product |  PHP |
| Category | Programming Languages |
| Vulnerable Versions |
|
| Total Vulnerable Versions | 507 |
| Vulnerable Domains | 597,107 live websites (4.94% of PHP install base) |
Distribution by Website Rank
The diagram provides a graphic representation of the correlation between the occurrence of CVE-2020-7063 and the relative popularity of websitesDetails
- Published - Feb 17, 2020
- Updated - Jul 23, 2021
Credits
- Reported by dr at loopia dot rs
CWE
CVE References
CWE References
Countries
 United States | 116,767 websites |
 France | 243,435 websites |
 Russia | 65,483 websites |
 China | 19,774 websites |
 Poland | 12,637 websites |
 Germany | 12,579 websites |
 Italy | 11,587 websites |
 Belgium | 11,540 websites |
 Spain | 9,542 websites |
 GB | 9,259 websites |
TLDs
| .com | 243,650 websites |
| .fr | 108,916 websites |
| .ru | 63,371 websites |
| .org | 23,678 websites |
| .net | 15,905 websites |
| .be | 12,936 websites |
| .pl | 9,936 websites |
| .it | 8,714 websites |
| .de | 7,647 websites |
| .nl | 6,669 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redGeographical Distribution
The distribution of websites across the globe that are exposed to CVE-2020-7063 through included software libraries and plugins.References
- https://bugs.php.net/bug.php?id=79082
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00023.html
- https://security.gentoo.org/glsa/202003-57
- https://lists.debian.org/debian-lts-announce/2020/03/msg00034.html
- https://usn.ubuntu.com/4330-1/
- https://www.debian.org/security/2020/dsa-4717
- https://www.debian.org/security/2020/dsa-4719
- https://www.tenable.com/security/tns-2021-14
Websites affected by CVE-2020-7063
Top websites that are affected by CVE-2020-7063. Please click on the "Contact us" button above to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ***.*****.cz |  Czech Republic | *,*** | |
| *.cn | China | *,*** | |
| ***.*.cn | China | *,*** | |
| *****.***.cn | China | *,*** | |
| ***.*****.***.cn | China | *,*** | |
| *****.cn | China | *,*** | |
| ***.*****.cn | China | *,*** | |
| ***.*********.com | China | *,*** | |
| *.***.cn | China | *,*** | |
| ***.*.***.cn | China | *,*** |