CVE-2020-7070
02.10.2020, 15:15
In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when PHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like __Host confused with cookies that decode to such prefix, thus leading to an attacker being able to forge cookie which is supposed to be secure. See also CVE-2020-8184 for more information.Enginsight
| Vendor | Product | Version |
|---|---|---|
| php | php | 7.2.0 ≤ 𝑥 < 7.2.34 |
| php | php | 7.3.0 ≤ 𝑥 < 7.3.23 |
| php | php | 7.4.0 ≤ 𝑥 < 7.4.11 |
| debian | debian_linux | 9.0 |
| debian | debian_linux | 10.0 |
| opensuse | leap | 15.1 |
| opensuse | leap | 15.2 |
| canonical | ubuntu_linux | 12.04 |
| canonical | ubuntu_linux | 14.04 |
| canonical | ubuntu_linux | 16.04 |
| canonical | ubuntu_linux | 18.04 |
| canonical | ubuntu_linux | 20.04 |
| netapp | clustered_data_ontap | - |
| tenable | tenable.sc | 𝑥 < 5.19.0 |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
Ubuntu Product | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| php5 |
| ||||||||||
| php7.0 |
| ||||||||||
| php7.2 |
| ||||||||||
| php7.4 |
|
Common Weakness Enumeration
- CWE-20 - Improper Input ValidationThe product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
- CWE-565 - Reliance on Cookies without Validation and Integrity CheckingThe application relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user.
References