7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
0.004 Low
EPSS
Percentile
74.7%
Issue Overview:
In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when AES-CCM mode is used with openssl_encrypt() function with 12 bytes IV, only first 7 bytes of the IV is actually used. This can lead to both decreased security and incorrect encryption data. (CVE-2020-7069)
In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when PHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like __Host confused with cookies that decode to such prefix, thus leading to an attacker being able to forge cookie which is supposed to be secure. See also CVE-2020-8184 for more information. (CVE-2020-7070)
Affected Packages:
php72, php73
Issue Correction:
Run yum update php72 to update your system.
Run yum update php73 to update your system.
New Packages:
i686:
php72-devel-7.2.34-1.26.amzn1.i686
php72-opcache-7.2.34-1.26.amzn1.i686
php72-intl-7.2.34-1.26.amzn1.i686
php72-ldap-7.2.34-1.26.amzn1.i686
php72-bcmath-7.2.34-1.26.amzn1.i686
php72-embedded-7.2.34-1.26.amzn1.i686
php72-xmlrpc-7.2.34-1.26.amzn1.i686
php72-enchant-7.2.34-1.26.amzn1.i686
php72-mysqlnd-7.2.34-1.26.amzn1.i686
php72-dba-7.2.34-1.26.amzn1.i686
php72-tidy-7.2.34-1.26.amzn1.i686
php72-json-7.2.34-1.26.amzn1.i686
php72-7.2.34-1.26.amzn1.i686
php72-debuginfo-7.2.34-1.26.amzn1.i686
php72-soap-7.2.34-1.26.amzn1.i686
php72-snmp-7.2.34-1.26.amzn1.i686
php72-imap-7.2.34-1.26.amzn1.i686
php72-mbstring-7.2.34-1.26.amzn1.i686
php72-odbc-7.2.34-1.26.amzn1.i686
php72-pdo-dblib-7.2.34-1.26.amzn1.i686
php72-fpm-7.2.34-1.26.amzn1.i686
php72-process-7.2.34-1.26.amzn1.i686
php72-gmp-7.2.34-1.26.amzn1.i686
php72-gd-7.2.34-1.26.amzn1.i686
php72-common-7.2.34-1.26.amzn1.i686
php72-pspell-7.2.34-1.26.amzn1.i686
php72-pgsql-7.2.34-1.26.amzn1.i686
php72-cli-7.2.34-1.26.amzn1.i686
php72-xml-7.2.34-1.26.amzn1.i686
php72-pdo-7.2.34-1.26.amzn1.i686
php72-recode-7.2.34-1.26.amzn1.i686
php72-dbg-7.2.34-1.26.amzn1.i686
php73-common-7.3.23-1.29.amzn1.i686
php73-gd-7.3.23-1.29.amzn1.i686
php73-pdo-7.3.23-1.29.amzn1.i686
php73-dbg-7.3.23-1.29.amzn1.i686
php73-7.3.23-1.29.amzn1.i686
php73-recode-7.3.23-1.29.amzn1.i686
php73-embedded-7.3.23-1.29.amzn1.i686
php73-gmp-7.3.23-1.29.amzn1.i686
php73-devel-7.3.23-1.29.amzn1.i686
php73-dba-7.3.23-1.29.amzn1.i686
php73-opcache-7.3.23-1.29.amzn1.i686
php73-fpm-7.3.23-1.29.amzn1.i686
php73-mysqlnd-7.3.23-1.29.amzn1.i686
php73-imap-7.3.23-1.29.amzn1.i686
php73-process-7.3.23-1.29.amzn1.i686
php73-mbstring-7.3.23-1.29.amzn1.i686
php73-debuginfo-7.3.23-1.29.amzn1.i686
php73-pgsql-7.3.23-1.29.amzn1.i686
php73-soap-7.3.23-1.29.amzn1.i686
php73-pdo-dblib-7.3.23-1.29.amzn1.i686
php73-json-7.3.23-1.29.amzn1.i686
php73-ldap-7.3.23-1.29.amzn1.i686
php73-enchant-7.3.23-1.29.amzn1.i686
php73-xmlrpc-7.3.23-1.29.amzn1.i686
php73-tidy-7.3.23-1.29.amzn1.i686
php73-bcmath-7.3.23-1.29.amzn1.i686
php73-odbc-7.3.23-1.29.amzn1.i686
php73-cli-7.3.23-1.29.amzn1.i686
php73-xml-7.3.23-1.29.amzn1.i686
php73-intl-7.3.23-1.29.amzn1.i686
php73-snmp-7.3.23-1.29.amzn1.i686
php73-pspell-7.3.23-1.29.amzn1.i686
src:
php72-7.2.34-1.26.amzn1.src
php73-7.3.23-1.29.amzn1.src
x86_64:
php72-bcmath-7.2.34-1.26.amzn1.x86_64
php72-dba-7.2.34-1.26.amzn1.x86_64
php72-gmp-7.2.34-1.26.amzn1.x86_64
php72-tidy-7.2.34-1.26.amzn1.x86_64
php72-devel-7.2.34-1.26.amzn1.x86_64
php72-json-7.2.34-1.26.amzn1.x86_64
php72-pgsql-7.2.34-1.26.amzn1.x86_64
php72-pdo-7.2.34-1.26.amzn1.x86_64
php72-pspell-7.2.34-1.26.amzn1.x86_64
php72-intl-7.2.34-1.26.amzn1.x86_64
php72-common-7.2.34-1.26.amzn1.x86_64
php72-odbc-7.2.34-1.26.amzn1.x86_64
php72-mbstring-7.2.34-1.26.amzn1.x86_64
php72-debuginfo-7.2.34-1.26.amzn1.x86_64
php72-enchant-7.2.34-1.26.amzn1.x86_64
php72-soap-7.2.34-1.26.amzn1.x86_64
php72-xmlrpc-7.2.34-1.26.amzn1.x86_64
php72-recode-7.2.34-1.26.amzn1.x86_64
php72-ldap-7.2.34-1.26.amzn1.x86_64
php72-opcache-7.2.34-1.26.amzn1.x86_64
php72-dbg-7.2.34-1.26.amzn1.x86_64
php72-mysqlnd-7.2.34-1.26.amzn1.x86_64
php72-pdo-dblib-7.2.34-1.26.amzn1.x86_64
php72-cli-7.2.34-1.26.amzn1.x86_64
php72-snmp-7.2.34-1.26.amzn1.x86_64
php72-imap-7.2.34-1.26.amzn1.x86_64
php72-process-7.2.34-1.26.amzn1.x86_64
php72-fpm-7.2.34-1.26.amzn1.x86_64
php72-gd-7.2.34-1.26.amzn1.x86_64
php72-embedded-7.2.34-1.26.amzn1.x86_64
php72-xml-7.2.34-1.26.amzn1.x86_64
php72-7.2.34-1.26.amzn1.x86_64
php73-tidy-7.3.23-1.29.amzn1.x86_64
php73-7.3.23-1.29.amzn1.x86_64
php73-embedded-7.3.23-1.29.amzn1.x86_64
php73-bcmath-7.3.23-1.29.amzn1.x86_64
php73-mbstring-7.3.23-1.29.amzn1.x86_64
php73-process-7.3.23-1.29.amzn1.x86_64
php73-recode-7.3.23-1.29.amzn1.x86_64
php73-pgsql-7.3.23-1.29.amzn1.x86_64
php73-pspell-7.3.23-1.29.amzn1.x86_64
php73-fpm-7.3.23-1.29.amzn1.x86_64
php73-odbc-7.3.23-1.29.amzn1.x86_64
php73-pdo-dblib-7.3.23-1.29.amzn1.x86_64
php73-devel-7.3.23-1.29.amzn1.x86_64
php73-dbg-7.3.23-1.29.amzn1.x86_64
php73-xml-7.3.23-1.29.amzn1.x86_64
php73-enchant-7.3.23-1.29.amzn1.x86_64
php73-imap-7.3.23-1.29.amzn1.x86_64
php73-pdo-7.3.23-1.29.amzn1.x86_64
php73-mysqlnd-7.3.23-1.29.amzn1.x86_64
php73-soap-7.3.23-1.29.amzn1.x86_64
php73-snmp-7.3.23-1.29.amzn1.x86_64
php73-json-7.3.23-1.29.amzn1.x86_64
php73-ldap-7.3.23-1.29.amzn1.x86_64
php73-gd-7.3.23-1.29.amzn1.x86_64
php73-intl-7.3.23-1.29.amzn1.x86_64
php73-debuginfo-7.3.23-1.29.amzn1.x86_64
php73-common-7.3.23-1.29.amzn1.x86_64
php73-cli-7.3.23-1.29.amzn1.x86_64
php73-xmlrpc-7.3.23-1.29.amzn1.x86_64
php73-dba-7.3.23-1.29.amzn1.x86_64
php73-gmp-7.3.23-1.29.amzn1.x86_64
php73-opcache-7.3.23-1.29.amzn1.x86_64
Red Hat: CVE-2020-7069, CVE-2020-7070
Mitre: CVE-2020-7069, CVE-2020-7070
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Amazon Linux | 1 | i686 | php72-devel | < 7.2.34-1.26.amzn1 | php72-devel-7.2.34-1.26.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | php72-opcache | < 7.2.34-1.26.amzn1 | php72-opcache-7.2.34-1.26.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | php72-intl | < 7.2.34-1.26.amzn1 | php72-intl-7.2.34-1.26.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | php72-ldap | < 7.2.34-1.26.amzn1 | php72-ldap-7.2.34-1.26.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | php72-bcmath | < 7.2.34-1.26.amzn1 | php72-bcmath-7.2.34-1.26.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | php72-embedded | < 7.2.34-1.26.amzn1 | php72-embedded-7.2.34-1.26.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | php72-xmlrpc | < 7.2.34-1.26.amzn1 | php72-xmlrpc-7.2.34-1.26.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | php72-enchant | < 7.2.34-1.26.amzn1 | php72-enchant-7.2.34-1.26.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | php72-mysqlnd | < 7.2.34-1.26.amzn1 | php72-mysqlnd-7.2.34-1.26.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | php72-dba | < 7.2.34-1.26.amzn1 | php72-dba-7.2.34-1.26.amzn1.i686.rpm |
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
0.004 Low
EPSS
Percentile
74.7%