4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
0.006 Low
EPSS
Percentile
77.8%
In PHP versions 7.2.x below 7.2.29, 7.3.x below 7.3.16 and 7.4.x below
7.4.4, while using get_headers() with user-supplied URL, if the URL
contains zero (\0) character, the URL will be silently truncated at it.
This may cause some software to make incorrect assumptions about the target
of the get_headers() and possibly send some information to a wrong server.
Author | Note |
---|---|
sbeattie | PEAR issues should go against php-pear as of xenial |
leosilva | php5 in precise is 5.3 and does not support the Zend API needed to fix this issue. Since backport this is to intrusive, marking it as ignored for precise/esm. |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 14.04 | noarch | php5 | <Â 5.5.9+dfsg-1ubuntu4.29+esm11) Available with Ubuntu Pro or Ubuntu Pro (Infra-only | UNKNOWN |
ubuntu | 16.04 | noarch | php7.0 | <Â 7.0.33-0ubuntu0.16.04.14 | UNKNOWN |
ubuntu | 18.04 | noarch | php7.2 | <Â 7.2.24-0ubuntu0.18.04.4 | UNKNOWN |
ubuntu | 19.10 | noarch | php7.3 | <Â 7.3.11-0ubuntu0.19.10.4 | UNKNOWN |
ubuntu | 20.04 | noarch | php7.4 | <Â 7.4.3-4ubuntu1.1 | UNKNOWN |
git.php.net/?p=php-src.git;a=commit;h=a33d05b1474caee449b88f53d61bee720c57caf7
launchpad.net/bugs/cve/CVE-2020-7066
nvd.nist.gov/vuln/detail/CVE-2020-7066
security-tracker.debian.org/tracker/CVE-2020-7066
ubuntu.com/security/notices/USN-4330-1
ubuntu.com/security/notices/USN-4330-2
www.cve.org/CVERecord?id=CVE-2020-7066
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
0.006 Low
EPSS
Percentile
77.8%