CVE-2020-7060
Last modified
CVE-2020-7060 is a critical-severity vulnerability rated 9.1/10 on the CVSS scale. When using certain mbstring functions to convert multibyte encodings, in PHP versions 7.2.x below 7.2.27, 7.3.x below 7.3.14 and 7.4.x below 7.4.2 it is possible to supply data that will cause function mbfl_filt_conv_big5_wchar to read past the allocated buffer. This may lead to information disclosure or crash.. EPSS estimates a 8.89% chance of exploitation in the next 30 days.
Description
When using certain mbstring functions to convert multibyte encodings, in PHP versions 7.2.x below 7.2.27, 7.3.x below 7.3.14 and 7.4.x below 7.4.2 it is possible to supply data that will cause function mbfl_filt_conv_big5_wchar to read past the allocated buffer. This may lead to information disclosure or crash.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Php | Php | >= 7.2.0, < 7.2.27 |
| Php | Php | >= 7.3.0, < 7.3.14 |
| Php | Php | >= 7.4.0, < 7.4.2 |
| Tenable | Tenable.Sc | < 5.19.0 |
| Oracle | Communications Diameter Signaling Router | >= 8.0, <= 8.4 |
| Opensuse | Leap | 15.1 |
| Debian | Debian Linux | 8.0 |
References
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00023.htmlMailing List, Third Party Advisory
- https://bugs.php.net/bug.php?id=79037Exploit, Patch, Vendor Advisory
- https://lists.debian.org/debian-lts-announce/2020/02/msg00030.htmlMailing List, Third Party Advisory
- https://seclists.org/bugtraq/2020/Feb/27Mailing List, Third Party Advisory
- https://seclists.org/bugtraq/2020/Feb/31Mailing List, Third Party Advisory
- https://seclists.org/bugtraq/2021/Jan/3Mailing List, Third Party Advisory
- https://security.gentoo.org/glsa/202003-57Third Party Advisory
- https://security.netapp.com/advisory/ntap-20200221-0002/Mailing List, Third Party Advisory
- https://usn.ubuntu.com/4279-1/Patch, Third Party Advisory
- https://www.debian.org/security/2020/dsa-4626Third Party Advisory
- https://www.debian.org/security/2020/dsa-4628Third Party Advisory
- https://www.oracle.com/security-alerts/cpuApr2021.htmlThird Party Advisory
- https://www.oracle.com/security-alerts/cpujul2020.htmlThird Party Advisory
- https://www.tenable.com/security/tns-2021-14Patch, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00023.htmlMailing List, Third Party Advisory
- https://bugs.php.net/bug.php?id=79037Exploit, Patch, Vendor Advisory
- https://lists.debian.org/debian-lts-announce/2020/02/msg00030.htmlMailing List, Third Party Advisory
- https://seclists.org/bugtraq/2020/Feb/27Mailing List, Third Party Advisory
- https://seclists.org/bugtraq/2020/Feb/31Mailing List, Third Party Advisory
- https://seclists.org/bugtraq/2021/Jan/3Mailing List, Third Party Advisory
- https://security.gentoo.org/glsa/202003-57Third Party Advisory
- https://security.netapp.com/advisory/ntap-20200221-0002/Mailing List, Third Party Advisory
- https://usn.ubuntu.com/4279-1/Patch, Third Party Advisory
- https://www.debian.org/security/2020/dsa-4626Third Party Advisory
- https://www.debian.org/security/2020/dsa-4628Third Party Advisory
- https://www.oracle.com/security-alerts/cpuApr2021.htmlThird Party Advisory
- https://www.oracle.com/security-alerts/cpujul2020.htmlThird Party Advisory
- https://www.tenable.com/security/tns-2021-14Patch, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2020-7060?
How severe is CVE-2020-7060?
How do I fix CVE-2020-7060?
Are you affected by CVE-2020-7060?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST