CVE-2020-7069
published 2020-10-02CVE-2020-7069: In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when AES-CCM mode is used with openssl_encrypt() function with 12 bytes IV, only…
medium6.5CVSS 3.1
AVNACLPRNUINSUCLILAN
In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when AES-CCM mode is used with openssl_encrypt() function with 12 bytes IV, only first 7 bytes of the IV is actually used. This can lead to both decreased security and incorrect encryption data.
Affected
21 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | php7.4 | < php7.4 7.4.11-1 (bullseye) | php7.4 7.4.11-1 (bullseye) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| opensuse | leap | — | — |
| opensuse | leap | — | — |
| oracle | communications_diameter_signaling_router | 8.0.0 – 8.5.0 | — |
| php | php | >= 7.2.0 < 7.2.34 | 7.2.34 |
| php | php | >= 7.3.0 < 7.3.23 | 7.3.23 |
| php | php | >= 7.4.0 < 7.4.11 | 7.4.11 |
| php5 | php5 | >= 0 < 5.5.9+dfsg-1ubuntu4.29+esm13 | 5.5.9+dfsg-1ubuntu4.29+esm13 |
| php_group | php | >= 7.2.x < 7.2.34 | 7.2.34 |
| php_group | php | >= 7.3.x < 7.3.23 | 7.3.23 |
| php_group | php | >= 7.4.x < 7.4.11 | 7.4.11 |
| tenable | tenable.sc | < 5.19.0 | 5.19.0 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
osv6.5MEDIUM