Alpine: php7: security update to 7.3.16-r0

high Tenable Self-Hosted Container Security Plugin ID 406336

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- In PHP versions 7.2.x below 7.2.9, 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while parsing EXIF data with
exif_read_data() function, it is possible for malicious data to cause PHP to read one byte of
uninitialized memory. This could potentially lead to information disclosure or crash. (CVE-2020-7064)

- In PHP versions 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while using mb_strtolower() function with
UTF-32LE encoding, certain invalid strings could cause PHP to overwrite stack-allocated buffer. This could
lead to memory corruption, crashes and potentially code execution. (CVE-2020-7065)

- In PHP versions 7.2.x below 7.2.29, 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while using get_headers()
with user-supplied URL, if the URL contains zero (\0) character, the URL will be silently truncated at it.
This may cause some software to make incorrect assumptions about the target of the get_headers() and
possibly send some information to a wrong server. (CVE-2020-7066)

See Also

https://security.alpinelinux.org/vuln/CVE-2020-7064

https://security.alpinelinux.org/vuln/CVE-2020-7065

https://security.alpinelinux.org/vuln/CVE-2020-7066

Plugin Details

Severity: High

ID: 406336

Version: Revision 1.25

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.15

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2020-7065

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 2/17/2020

Reference Information

CVE: CVE-2020-7064, CVE-2020-7065, CVE-2020-7066

IAVA: 2020-A-0117-S