Description
The Phar extension in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote attackers to execute arbitrary code via a crafted filename, as demonstrated by mishandling of \0 characters by the phar_analyze_path function in ext/phar/phar.c.
Remediation
References
Related Vulnerabilities
Apache HTTP Server Out-of-bounds Read Vulnerability (CVE-2023-31122)
SugarCRM Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2023-46816)
MySQL CVE-2018-3162 Vulnerability (CVE-2018-3162)
Magento Insufficient Verification of Data Authenticity Vulnerability (CVE-2019-8124)