CVE-2020-7065 — Stack-based Buffer Overflow in Group PHP
Severity
8.8HIGHNVD
CNA7.4
EPSS
5.0%
top 10.25%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedApr 1
Latest updateMay 24
Description
In PHP versions 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while using mb_strtolower() function with UTF-32LE encoding, certain invalid strings could cause PHP to overwrite stack-allocated buffer. This could lead to memory corruption, crashes and potentially code execution.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9
Affected Packages3 packages
Also affects: Debian Linux 10.0, Ubuntu Linux 12.04, 14.04, 16.04, 18.04, 19.10, 20.04
Patches
🔴Vulnerability Details
5📋Vendor Advisories
4💬Community
3HackerOne▶
mb_strtolower (UTF-32LE): stack-buffer-overflow at php_unicode_tolower_full (CVE-2020-7065)↗2020-10-21
Bugzilla▶
CVE-2020-7065 php: Using mb_strtolower() function with UTF-32LE encoding leads to potential code execution↗2020-04-03
Bugzilla▶
CVE-2020-7065 php: by using mb_strtolower() function with UTF-32LE encoding leads to potential code execution [fedora-all]↗2020-04-03