CVE-2020-7059

Description

When using fgetss() function to read data with stripping tags, in PHP versions 7.2.x below 7.2.27, 7.3.x below 7.3.14 and 7.4.x below 7.4.2 it is possible to supply data that will cause this function to read past the allocated buffer. This may lead to information disclosure or crash.

How to fix CVE-2020-7059

To remediate CVE-2020-7059, upgrade the affected package to a fixed version below.

• Bitnami/libphp—upgrade to 7.2.27 or later
• —upgrade to 7.2.27 or later
• —upgrade to 7.2.27 or later
• —upgrade to 5.6.40+dfsg-0+deb8u9 or later
• —upgrade to 7.4.2-7 or later

Is CVE-2020-7059 being exploited?

Low — EPSS is 2.4%, meaning exploitation activity has not been observed at scale.

Affected packages (5)

• >= 7.2.0, < 7.2.27, >= 7.3.0, < 7.3.14, >= 7.4.0, < 7.4.2
• >= 7.2.0, < 7.2.27, >= 7.3.0, < 7.3.14, >= 7.4.0, < 7.4.2
• >= 7.2.0, < 7.2.27, >= 7.3.0, < 7.3.14, >= 7.4.0, < 7.4.2
• from 0, < 5.6.40+dfsg-0+deb8u9
• from 0, < 7.4.2-7

CVSS scores

References (16)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2020-7059
• WEBlists.opensuse.org/opensuse-security-announce/2020-03/msg00023.html
• WEBbugs.php.net/bug.php?id=79099
• WEBlists.debian.org/debian-lts-announce/2020/02/msg00030.html