{ "affected": [ { "database_specific": { "unresolved_ranges": [ { "events": [ { "introduced": "0" }, { "last_affected": "10.0" } ] }, { "events": [ { "introduced": "0" }, { "fixed": "5.19.0" } ] } ] }, "ranges": [ { "database_specific": { "versions": [ { "introduced": "7.2.0" }, { "fixed": "7.2.33" }, { "introduced": "7.3.0" }, { "fixed": "7.3.21" }, { "introduced": "7.4.0" }, { "fixed": "7.4.9" } ] }, "events": [ { "introduced": "8148cbb78841c8ec0759c0836e7f35dec799d300" }, { "fixed": "1ff373e57010ece24f162ea6b88dfe1d13593502" }, { "introduced": "52ace952a1b65ca80fc2617f11c2fa6dd03f51bd" }, { "fixed": "2b5ec153e4642b24cc999b0f7daa24096ebb191d" }, { "introduced": "3c7824e16ec4c3cee417262445d2c2b66531c10f" }, { "fixed": "b9ca291efb24a1b3bb26eb01fa90508ee097ba2c" } ], "repo": "https://github.com/php/php-src", "type": "GIT" } ] } ], "details": "In PHP versions 7.2.x below 7.2.33, 7.3.x below 7.3.21 and 7.4.x below 7.4.9, while processing PHAR files using phar extension, phar_parse_zipfile could be tricked into accessing freed memory, which could lead to a crash or information disclosure.", "id": "CVE-2020-7068", "modified": "2026-03-13T21:52:29.796420588Z", "published": "2020-09-09T18:15:23.400Z", "references": [ { "type": "ADVISORY", "url": "https://security.gentoo.org/glsa/202009-10" }, { "type": "ADVISORY", "url": "https://security.netapp.com/advisory/ntap-20200918-0005/" }, { "type": "ADVISORY", "url": "https://www.debian.org/security/2021/dsa-4856" }, { "type": "FIX", "url": "https://bugs.php.net/bug.php?id=79797" }, { "type": "FIX", "url": "https://www.tenable.com/security/tns-2021-14" } ], "severity": [ { "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:L", "type": "CVSS_V3" } ] }