First published: Tue Mar 17 2020(Updated: )
A vulnerability was found in PHP versions 7.3.x below 7.3.16 and 7.4.x below 7.4.34, while using mb_strtolower() function with UTF-32LE encoding, certain invalid strings could cause PHP to overwrite stack-allocated buffer. This could lead to memory corruption, crashes and potentially code execution.
Credit: security@php.net security@php.net
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/rh-php73-php | <0:7.3.20-1.el7 | 0:7.3.20-1.el7 |
PHP PHP | >=7.3.0<7.3.16 | |
PHP PHP | >=7.4.0<7.4.4 | |
Debian Debian Linux | =10.0 | |
Canonical Ubuntu Linux | =12.04 | |
Canonical Ubuntu Linux | =14.04 | |
Canonical Ubuntu Linux | =16.04 | |
Canonical Ubuntu Linux | =18.04 | |
Canonical Ubuntu Linux | =19.10 | |
Canonical Ubuntu Linux | =20.04 | |
Tenable Tenable.sc | <5.19.0 | |
PHP PHP | <7.3.16 | 7.3.16 |
redhat/php | <7.3.16 | 7.3.16 |
redhat/php | <7.4.4 | 7.4.4 |
debian/php7.4 | 7.4.33-1+deb11u5 7.4.33-1+deb11u7 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-7065 is a vulnerability in PHP versions 7.3.x below 7.3.16 and 7.4.x below 7.4.4 that could lead to memory corruption, crashes, and potentially code execution.
CVE-2020-7065 is caused by using the mb_strtolower() function with UTF-32LE encoding and certain invalid strings.
CVE-2020-7065 can be exploited by crafting specially crafted strings to trigger the vulnerability in PHP.
PHP versions 7.3.x below 7.3.16 and 7.4.x below 7.4.4 are affected by CVE-2020-7065.
To remediate CVE-2020-7065, update PHP to version 7.3.16 or 7.4.4 or later.