CVE-2020-7069
02.10.2020, 15:15
In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when AES-CCM mode is used with openssl_encrypt() function with 12 bytes IV, only first 7 bytes of the IV is actually used. This can lead to both decreased security and incorrect encryption data.Enginsight
| Vendor | Product | Version |
|---|---|---|
| php | php | 7.2.0 ≤ 𝑥 < 7.2.34 |
| php | php | 7.3.0 ≤ 𝑥 < 7.3.23 |
| php | php | 7.4.0 ≤ 𝑥 < 7.4.11 |
| debian | debian_linux | 10.0 |
| opensuse | leap | 15.1 |
| opensuse | leap | 15.2 |
| canonical | ubuntu_linux | 12.04 |
| canonical | ubuntu_linux | 14.04 |
| canonical | ubuntu_linux | 16.04 |
| canonical | ubuntu_linux | 18.04 |
| canonical | ubuntu_linux | 20.04 |
| netapp | clustered_data_ontap | - |
| oracle | communications_diameter_signaling_router | 8.0.0 ≤ 𝑥 ≤ 8.5.0 |
| tenable | tenable.sc | 𝑥 < 5.19.0 |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
Ubuntu Product | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| php5 |
| ||||||||||
| php7.0 |
| ||||||||||
| php7.2 |
| ||||||||||
| php7.4 |
|
Common Weakness Enumeration
- CWE-20 - Improper Input ValidationThe product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
- CWE-326 - Inadequate Encryption StrengthThe software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
References