CVE-2020-7069

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when AES-CCM mode is used with openssl_encrypt() function with 12 bytes IV, only first 7 bytes of the IV is actually used. This can lead to both decreased security and incorrect encryption data.

References

https://bugs.php.net/bug.php?id=79601

https://lists.fedoraproject.org/archives/list/[email protected]/message/RRU57N3OSYZPOMFWPRDNVH7EMYOTSZ66/

https://lists.fedoraproject.org/archives/list/[email protected]/message/7EVDN7D3IB4EAI4D3ZOM2OJKQ5SD7K4E/

https://lists.fedoraproject.org/archives/list/[email protected]/message/P2J3ZZDHCSX65T5QWV4AHBN7MOJXBEKG/

https://security.netapp.com/advisory/ntap-20201016-0001/

http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00045.html

https://usn.ubuntu.com/4583-1/

http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00067.html

https://security.gentoo.org/glsa/202012-16

https://www.debian.org/security/2021/dsa-4856

https://www.oracle.com/security-alerts/cpuApr2021.html

Details

Source: MITRE

Published: 2020-10-02

Updated: 2021-07-22

Type: CWE-326

Risk Information

CVSS v2

Base Score: 6.4

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N

Impact Score: 4.9

Exploitability Score: 10

Severity: MEDIUM

CVSS v3

Base Score: 6.5

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Impact Score: 2.5

Exploitability Score: 3.9

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:php:php:*:*:*:*:*:*:*:*

cpe:2.3:a:php:php:*:*:*:*:*:*:*:*

cpe:2.3:a:php:php:*:*:*:*:*:*:*:*

Configuration 2

OR

cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*

Configuration 3

OR

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Configuration 4

OR

cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*

cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*

Configuration 5

OR

cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*

Configuration 6

OR

cpe:2.3:a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*

Tenable Plugins

View all (22 total)

IDNameProductFamilySeverity
152986Tenable SecurityCenter < 5.19.0 Multiple Vulnerabilities (TNS-2021-14)NessusMisc.
high
152348RHEL 7 : rh-php73-php (RHSA-2021:2992)NessusRed Hat Local Security Checks
medium
151985Tenable.sc < 5.19.0 Multiple Vulnerabilities (TNS-2021-14) (deprecated)NessusMisc.
high
147033EulerOS Virtualization for ARM 64 3.0.6.0 : php (EulerOS-SA-2021-1566)NessusHuawei Local Security Checks
medium
146613Debian DSA-4856-1 : php7.3 - security updateNessusDebian Local Security Checks
medium
144602GLSA-202012-16 : PHP: Multiple vulnerabilitiesNessusGentoo Local Security Checks
medium
143783SUSE SLES12 Security Update : php74 (SUSE-SU-2020:2896-1)NessusSuSE Local Security Checks
medium
143744SUSE SLED15 / SLES15 Security Update : php7 (SUSE-SU-2020:2997-1)NessusSuSE Local Security Checks
medium
143672SUSE SLES12 Security Update : php72 (SUSE-SU-2020:2943-1)NessusSuSE Local Security Checks
medium
143640SUSE SLED15 / SLES15 Security Update : php7 (SUSE-SU-2020:2941-1)NessusSuSE Local Security Checks
medium
142167EulerOS 2.0 SP8 : php (EulerOS-SA-2020-2316)NessusHuawei Local Security Checks
medium
142078openSUSE Security Update : php7 (openSUSE-2020-1767)NessusSuSE Local Security Checks
medium
141980Amazon Linux AMI : php72 (ALAS-2020-1440)NessusAmazon Linux Local Security Checks
medium
141936Ubuntu 20.10 : PHP vulnerabilities (USN-4583-2)NessusUbuntu Local Security Checks
medium
141662openSUSE Security Update : php7 (openSUSE-2020-1703)NessusSuSE Local Security Checks
medium
141355PHP 7.2 < 7.2.34 / 7.3.x < 7.3.23 / 7.4.x < 7.4.11 Mulitiple VulnerabilitiesNessusCGI abuses
medium
112604PHP 7.2.x < 7.2.34 Multiple VulnerabilitiesWeb Application ScanningComponent Vulnerability
medium
112603PHP 7.3.x < 7.3.23 Multiple VulnerabilitiesWeb Application ScanningComponent Vulnerability
medium
112602PHP 7.4.x < 7.4.11 Multiple VulnerabilitiesWeb Application ScanningComponent Vulnerability
medium
141299Fedora 33 : php (2020-4573f0e03a)NessusFedora Local Security Checks
medium
141296Fedora 32 : php (2020-4fe6b116e5)NessusFedora Local Security Checks
medium
141295Fedora 31 : php (2020-94763cb98b)NessusFedora Local Security Checks
medium