Advisory 2023-09/01 PHP Vulnerabilities
| Vulnerability type | Overflow, Memory corruption, XXE injection |
| Severity factors | FileCloud users are not at risk of being exposed to these vulnerabilities. However, FileCloud is updating PHP to the latest version, currently 8.2.10. |
| Versions affected | FileCloud Versions 22.1 and 23.1 are not affected by these vulnerabilities, but use the versions of PHP affected. |
| Version fixed | FileCloud Version 23.1.2 and later |
Description
In PHP versions 8.0.*, 8.1.*, and 8.2.*:
- When loading a phar file and reading PHAR directory entries, insufficient length checking may lead to a stack buffer overflow, leading potentially to memory corruption or remote code execution (RCE).
- Potential disclosure of local files accessible to PHP may occur.
Fix
FileCloud is thoroughly tested with specific PHP versions, and using newer versions may affect functionalities; therefore, it is important that customers do not upgrade their PHP versions beyond what is bundled with FileCloud.
As FileCloud keeps up to date with the latest versions of all software, FileCloud version 23.1.2.22722 upgrades PHP to the latest version, 8.2.10.
What you should do to fix this vulnerability
- If you are using FileCloud Server, we recommended that you update to the latest version, which is 23.1.2.22722 or greater.
- If you are using FileCloud Online, your site has already been updated to the latest version.
If you have any questions about this advisory, please contact FileCloud support.