CVE-2020-7063: 
PHP vulnerability analysis and mitigation

CVE-2020-7063 affects PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below 7.4.3. The vulnerability relates to the PharData::buildFromIterator() function, where files are added to PHAR archives with default permissions (0666, or all access) even if the original files on the filesystem had more restrictive permissions (NVD).

When creating PHAR archives using the PharData::buildFromIterator() function, the files are added with default permissions (0666) regardless of their original filesystem permissions. This behavior differs from files added using PharData::addFile(), which preserves the original file permissions. The issue occurs specifically when using the buildFromIterator method to create tar archives (PHP Bug).

This vulnerability may result in files having more permissive access rights than intended when such archives are extracted. This could potentially lead to unauthorized access to sensitive files if an attacker has access to the extracted files (Rapid7).

The vulnerability has been fixed in PHP versions 7.2.28, 7.3.15, and 7.4.3 and later. Users should upgrade to these versions or later to address the issue. Various Linux distributions have also released security updates to address this vulnerability in their PHP packages (OpenSUSE, Ubuntu).