CVE-2020-7066: get_headers() silently truncates after a null byte
First published: Tue Mar 17 2020(Updated: )
A vulnerability was found in PHP versions 7.2.x below 7.2.9, 7.3.x below 7.3.16 and 7.4.x below 7.4.34, while using get_headers() with user-supplied URL, if the URL contains zero (\0) character, the URL will be silently truncated at it. This may cause some software to make incorrect assumptions about the target of the get_headers() and possibly send some information to a wrong server.
Credit: security@php.net security@php.net
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/rh-php73-php | <0:7.3.20-1.el7 | 0:7.3.20-1.el7 |
| PHP PHP | >=7.2.0<7.2.29 | |
| PHP PHP | >=7.3.0<7.3.16 | |
| PHP PHP | >=7.4.0<7.4.4 | |
| Tenable Tenable.sc | <5.19.0 | |
| Tenable Tenable.sc | =5.19.0 | |
| openSUSE Leap | =15.1 | |
| Debian Debian Linux | =8.0 | |
| Debian Debian Linux | =9.0 | |
| Debian Debian Linux | =10.0 | |
| PHP PHP | <7.2.29 | 7.2.29 |
| redhat/php | <7.2.29 | 7.2.29 |
| redhat/php | <7.3.16 | 7.3.16 |
| redhat/php | <7.4.4 | 7.4.4 |
| debian/php7.4 | 7.4.33-1+deb11u5 7.4.33-1+deb11u7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2020-7066 https://nvd.nist.gov/vuln/detail/CVE-2020-7066 https://bugs.php.net/bug.php?id=79329
- https://bugzilla.redhat.com/show_bug.cgi?id=1820604
- https://access.redhat.com/errata/RHSA-2020:3662
- https://access.redhat.com/errata/RHSA-2020:5275
- https://access.redhat.com/security/cve/cve-2020-7066
- http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00025.html
- https://bugs.php.net/bug.php?id=79329
- https://lists.debian.org/debian-lts-announce/2020/04/msg00021.html
- https://security.netapp.com/advisory/ntap-20200403-0001/
- https://usn.ubuntu.com/4330-2/
- https://www.debian.org/security/2020/dsa-4717
- https://www.debian.org/security/2020/dsa-4719
- https://www.tenable.com/security/tns-2021-14
- https://launchpad.net/bugs/cve/CVE-2020-7066
- https://www.php.net/ChangeLog-7.php#7.2.29 (Advisory)
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1820605
- http://git.php.net/?p=php-src.git;a=commit;h=0c77b4307df73217283a4aaf9313e1a33a0967ff
- https://bugs.php.net/79329
- https://git.php.net/?p=php-src.git;a=commit;h=0d139c5b94a5f485a66901919e51faddb0371c43
- https://security-tracker.debian.org/tracker/CVE-2020-7066
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7066
- https://nvd.nist.gov/vuln/detail/CVE-2020-7066
- https://ubuntu.com/security/CVE-2020-7066
Frequently Asked Questions
What is CVE-2020-7066?
CVE-2020-7066 is a vulnerability in PHP versions 7.2.x, 7.3.x, and 7.4.x that allows an attacker to truncate URLs containing null bytes when using the get_headers() function.
How severe is CVE-2020-7066?
CVE-2020-7066 has a severity rating of 4.3 (medium).
How does CVE-2020-7066 affect PHP versions?
CVE-2020-7066 affects PHP versions 7.2.x below 7.2.29, 7.3.x below 7.3.16, and 7.4.x below 7.4.4.
What is the impact of CVE-2020-7066?
The impact of CVE-2020-7066 is that certain software may make incorrect assumptions about the target of the get_headers() function when the URL is truncated.
How can I fix CVE-2020-7066?
To fix CVE-2020-7066, you should update PHP to version 7.2.29, 7.3.16, or 7.4.4 depending on the version you are currently using.
- collector/redhat-cve
- collector/nvd-index
- agent/type
- collector/launchpad-cve
- source/Launchpad
- agent/author
- collector/php-changelog
- source/PHP
- agent/software-canonical-lookup
- agent/weakness
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-7066
- agent/title
- agent/severity
- agent/first-publish-date
- collector/usn-cve
- source/Ubuntu
- agent/references
- agent/remedy
- agent/description
- agent/tags
- collector/mitre-cve
- source/MITRE
- agent/event
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/nvd-cve
- source/NVD
- agent/last-modified-date
- agent/trending
- package-manager/redhat
- vendor/php
- canonical/php php
- version/php php/7.2.0
- version/php php/7.3.0
- version/php php/7.4.0
- vendor/tenable
- canonical/tenable tenable.sc
- version/tenable tenable.sc/5.19.0
- vendor/opensuse
- canonical/opensuse leap
- version/opensuse leap/15.1
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/8.0
- version/debian debian linux/9.0
- version/debian debian linux/10.0
- package-manager/debian