Alpine: php7: security update to 7.3.15-r2 (deprecated)

high Tenable Self-Hosted Container Security Plugin ID 400413

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- In PHP versions 7.2.x below 7.2.9, 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while parsing EXIF data with
exif_read_data() function, it is possible for malicious data to cause PHP to read one byte of
uninitialized memory. This could potentially lead to information disclosure or crash. (CVE-2020-7064)

- In PHP versions 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while using mb_strtolower() function with
UTF-32LE encoding, certain invalid strings could cause PHP to overwrite stack-allocated buffer. This could
lead to memory corruption, crashes and potentially code execution. (CVE-2020-7065)

- In PHP versions 7.2.x below 7.2.29, 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while using get_headers()
with user-supplied URL, if the URL contains zero (\0) character, the URL will be silently truncated at it.
This may cause some software to make incorrect assumptions about the target of the get_headers() and
possibly send some information to a wrong server. (CVE-2020-7066)

See Also

https://git.alpinelinux.org/aports/commit/?id=1db02782e1ed01a3eaeb6a48c7daefeb0ab98bd6

https://git.alpinelinux.org/aports/commit/?id=21a3c8982ee0931e3b842bfeb4f45191fa6769ee

Plugin Details

Severity: High

ID: 400413

Version: Revision 1.23

Type: Local

Published: 8/16/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.15

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2020-7065

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/19/2020

Vulnerability Publication Date: 3/17/2020

Reference Information

CVE: CVE-2020-7064, CVE-2020-7065, CVE-2020-7066

IAVA: 2020-A-0117-S