CVE-2020-7069

CWE-20 — Improper Input Validation CWE-32611 documents8 sources

Severity

6.5MEDIUM

EPSS

8.4%

top 7.70%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

PHP Group PHP PHP PHP Tenable Tenable.sc +5 more

Timeline

PublishedOct 2

Latest updateMay 24

Description

In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when AES-CCM mode is used with openssl_encrypt() function with 12 bytes IV, only first 7 bytes of the IV is actually used. This can lead to both decreased security and incorrect encryption data.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages10 packages

▶NVDphp/php7.2.0 — 7.2.34+2

▶CVEListV5php_group/php7.3.x — 7.3.23+2

▶NVDtenable/tenable.sc< 5.19.0

▶Ubuntuphp5< 5.5.9+dfsg-1ubuntu4.29+esm13

▶Debianphp7.4< 7.4.11-1

Also affects: Debian Linux 10.0, Fedora 31, 32, 33, Ubuntu Linux 12.04, 14.04, 16.04, 18.04, 20.04

Patches

Patch: bugs.php.net ↗Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

GHSA-v3rw-94vx-73w6: In PHP versions 7↗2022-05-24

▶

OSV

php5, php7.0, php7.2, php7.4 vulnerabilities↗2020-10-14

▶

OSV

CVE-2020-7069: In PHP versions 7↗2020-10-02

▶

CVEList

Wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV↗2020-10-02

▶

📋Vendor Advisories

Ubuntu

PHP vulnerabilities↗2020-10-27

▶

Ubuntu

PHP vulnerabilities↗2020-10-14

▶

Red Hat

php: Wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV↗2020-05-15

▶

Debian

CVE-2020-7069: php7.4 - In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, w...↗2020

▶

💬Community

Bugzilla

CVE-2020-7069 php: wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV [fedora-all]↗2020-10-06

▶

Bugzilla

CVE-2020-7069 php: Wrong ciphertext/tag in AES-CCM encryption for a 12 bytes IV↗2020-10-06

▶