CVE-2020-7067
OOB Read in urldecode()
7.5
HIGH
CVSS 3.1
EPSS 9.0%
Description
In PHP versions 7.2.x below 7.2.30, 7.3.x below 7.3.17 and 7.4.x below 7.4.5, if PHP is compiled with EBCDIC support (uncommon), urldecode() function can be made to access locations past the allocated memory, due to erroneously using signed numbers as array indexes.
How to fix CVE-2020-7067
To remediate CVE-2020-7067, upgrade the affected package to a fixed version below.
- Bitnami/libphp—upgrade to 7.2.30 or later
- —upgrade to 7.2.30 or later
- —upgrade to 7.2.30 or later
- —upgrade to 7.4.5-1 or later
Is CVE-2020-7067 being exploited?
Moderate — EPSS is 9.0%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (4)
- >= 7.2.0, < 7.2.30, >= 7.3.0, < 7.3.17, >= 7.4.0, < 7.4.5
- >= 7.2.0, < 7.2.30, >= 7.3.0, < 7.3.17, >= 7.4.0, < 7.4.5
- >= 7.2.0, < 7.2.30, >= 7.3.0, < 7.3.17, >= 7.4.0, < 7.4.5
- from 0, < 7.4.5-1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |