PHP up to 5.6.38/7.0.32/7.1.24/7.2.12 PHAR ext/phar/phar.c phar_parse_pharfile out-of-bounds

Summaryinfo

A vulnerability identified as critical has been detected in PHP up to 5.6.38/7.0.32/7.1.24/7.2.12. Affected by this issue is the function phar_parse_pharfile of the file ext/phar/phar.c of the component PHAR. This manipulation causes out-of-bounds. This vulnerability is tracked as CVE-2018-20783. The attack is possible to be carried out remotely. No exploit exists. You should upgrade the affected component.

Detailsinfo

A vulnerability classified as critical was found in PHP up to 5.6.38/7.0.32/7.1.24/7.2.12 (Programming Language Software). Affected by this vulnerability is the function phar_parse_pharfile of the file ext/phar/phar.c of the component PHAR. The manipulation with an unknown input leads to a out-of-bounds vulnerability. The CWE definition for the vulnerability is CWE-125. The product reads data past the end, or before the beginning, of the intended buffer. As an impact it is known to affect confidentiality. The summary by CVE is:

In PHP before 5.6.39, 7.x before 7.0.33, 7.1.x before 7.1.25, and 7.2.x before 7.2.13, a buffer over-read in PHAR reading functions may allow an attacker to read allocated or unallocated memory past the actual data when trying to parse a .phar file. This is related to phar_parse_pharfile in ext/phar/phar.c.

The bug was discovered 10/23/2018. The weakness was disclosed 02/21/2019 (Website). The advisory is shared at access.redhat.com. This vulnerability is known as CVE-2018-20783 since 02/21/2019. The attack can be launched remotely. The exploitation doesn't need any form of authentication. Technical details are known, but no exploit is available.

The vulnerability was handled as a non-public zero-day exploit for at least 121 days. During that time the estimated underground price was around $5k-$25k. The commercial vulnerability scanner Qualys is able to test this issue with plugin 172199 (SUSE Enterprise Linux Security Update for php53 (SUSE-SU-2019:14013-1)).

Upgrading to version 5.6.39, 7.0.33, 7.1.24 or 7.2.12 eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at SecurityFocus (BID 107156†). The entries VDB-131109, VDB-131110, VDB-131111 and VDB-131112 are pretty similar. If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Productinfo

Type

• Programming Language Software

Name

• PHP

Version

• 5.6.0
• 5.6.1
• 5.6.2
• 5.6.3
• 5.6.4
• 5.6.5
• 5.6.6
• 5.6.7
• 5.6.8
• 5.6.9
• 5.6.10
• 5.6.11
• 5.6.12
• 5.6.13
• 5.6.14
• 5.6.15
• 5.6.16
• 5.6.17
• 5.6.18
• 5.6.19
• 5.6.20
• 5.6.21
• 5.6.22
• 5.6.23
• 5.6.24
• 5.6.25
• 5.6.26
• 5.6.27
• 5.6.28
• 5.6.29
• 5.6.30
• 5.6.31
• 5.6.32
• 5.6.33
• 5.6.34
• 5.6.35
• 5.6.36
• 5.6.37
• 5.6.38
• 7.0.0
• 7.0.1
• 7.0.2
• 7.0.3
• 7.0.4
• 7.0.5
• 7.0.6
• 7.0.7
• 7.0.8
• 7.0.9
• 7.0.10
• 7.0.11
• 7.0.12
• 7.0.13
• 7.0.14
• 7.0.15
• 7.0.16
• 7.0.17
• 7.0.18
• 7.0.19
• 7.0.20
• 7.0.21
• 7.0.22
• 7.0.23
• 7.0.24
• 7.0.25
• 7.0.26
• 7.0.27
• 7.0.28
• 7.0.29
• 7.0.30
• 7.0.31
• 7.0.32
• 7.1.0
• 7.1.1
• 7.1.2
• 7.1.3
• 7.1.4
• 7.1.5
• 7.1.6
• 7.1.7
• 7.1.8
• 7.1.9
• 7.1.10
• 7.1.11
• 7.1.12
• 7.1.13
• 7.1.14
• 7.1.15
• 7.1.16
• 7.1.17
• 7.1.18
• 7.1.19
• 7.1.20
• 7.1.21
• 7.1.22
• 7.1.23
• 7.1.24
• 7.2.0
• 7.2.1
• 7.2.2
• 7.2.3
• 7.2.4
• 7.2.5
• 7.2.6
• 7.2.7
• 7.2.8
• 7.2.9
• 7.2.10
• 7.2.11
• 7.2.12

License

• open-source

Website

• Product: https://www.php.org/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Discussion