CVE-2020-7070

Description

In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when PHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like __Host confused with cookies that decode to such prefix, thus leading to an attacker being able to forge cookie which is supposed to be secure. See also CVE-2020-8184 for more information.

How to fix CVE-2020-7070

To remediate CVE-2020-7070, upgrade the affected package to a fixed version below.

• —upgrade to 7.2.34 or later
• —upgrade to 7.2.34 or later
• —upgrade to 7.2.34 or later
• —upgrade to 7.0.33-0+deb9u10 or later
• —upgrade to 7.4.11-1 or later

Is CVE-2020-7070 being exploited?

Moderate — EPSS is 26.1%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (5)

• >= 7.2.0, < 7.2.34, >= 7.3.0, < 7.3.23, >= 7.4.0, < 7.4.11
• >= 7.2.0, < 7.2.34, >= 7.3.0, < 7.3.23, >= 7.4.0, < 7.4.11
• >= 7.2.0, < 7.2.34, >= 7.3.0, < 7.3.23, >= 7.4.0, < 7.4.11
• from 0, < 7.0.33-0+deb9u10
• from 0, < 7.4.11-1

CVSS scores

References (17)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2020-7070
• WEBcve.circl.lu/cve/CVE-2020-8184
• WEBlists.opensuse.org/opensuse-security-announce/2020-10/msg00045.html
• WEBlists.opensuse.org/opensuse-security-announce/2020-10/msg00067.html