CVE-2020-7067: OOB Read in urldecode()
First published: Tue Apr 14 2020(Updated: )
Fixed bug (OOB Read in urldecode()). (CVE-2020-7067)
Credit: security@php.net
| Affected Software | Affected Version | How to fix |
|---|---|---|
| <7.3.17 | 7.3.17 | |
| PHP PHP | >=7.2.0<7.2.30 | |
| PHP PHP | >=7.3.0<7.3.17 | |
| PHP PHP | >=7.4.0<7.4.5 | |
| Tenable Tenable.sc | <5.19.0 | |
| Oracle Communications Diameter Signaling Router | >=8.0.0.0<=8.4.0.5 | |
| Debian Debian Linux | =9.0 | |
| Debian Debian Linux | =10.0 | |
| debian/php7.3 | 7.3.31-1~deb10u1 7.3.31-1~deb10u5 | |
| debian/php7.4 | 7.4.33-1+deb11u4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugs.php.net/bug.php?id=79465
- https://security.netapp.com/advisory/ntap-20200504-0001/
- https://www.debian.org/security/2020/dsa-4717
- https://www.debian.org/security/2020/dsa-4719
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.tenable.com/security/tns-2021-14
- https://www.php.net/ChangeLog-7.php#7.3.17 (Advisory)
- https://bugs.php.net/79465
- https://git.php.net/?p=php-src.git;a=commit;h=9d6bf8221b05f86ce5875832f0f646c4c1f218be
- https://security-tracker.debian.org/tracker/CVE-2020-7067
Frequently Asked Questions
What is CVE-2020-7067?
CVE-2020-7067 is a vulnerability in PHP versions 7.2.x below 7.2.30, 7.3.x below 7.3.17, and 7.4.x below 7.4.5 that allows the urldecode() function to access memory locations beyond the allocated memory.
How can the CVE-2020-7067 vulnerability be exploited?
The CVE-2020-7067 vulnerability can be exploited by making the urldecode() function access locations beyond the allocated memory, if PHP is compiled with EBCDIC support and incorrectly uses signed numbers as array indexes.
What is the severity of CVE-2020-7067?
CVE-2020-7067 has a severity rating of 7.5 (high).
Which versions of PHP are affected by CVE-2020-7067?
PHP versions 7.2.x below 7.2.30, 7.3.x below 7.3.17, and 7.4.x below 7.4.5 are affected by CVE-2020-7067.
How can I fix the CVE-2020-7067 vulnerability?
To fix the CVE-2020-7067 vulnerability, update PHP to version 7.2.30, 7.3.17, or 7.4.5 depending on the currently installed version.
- collector/security-tracker-debian
- collector/nvd-index
- agent/weakness
- agent/type
- agent/softwarecombine
- agent/references
- agent/remedy
- agent/author
- collector/php-changelog
- source/PHP
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/title
- agent/severity
- agent/tags
- agent/first-publish-date
- agent/event
- agent/description
- package-manager/debian
- vendor/php
- canonical/php php
- version/php php/7.2.0
- version/php php/7.3.0
- version/php php/7.4.0
- vendor/tenable
- canonical/tenable tenable.sc
- vendor/oracle
- canonical/oracle communications diameter signaling router
- version/oracle communications diameter signaling router/8.0.0.0
- version/oracle communications diameter signaling router/8.4.0.5
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- version/debian debian linux/10.0