CVE-2020-7070

Опубликовано: 14 июн. 2020

Источник: redhat

CVSS3: 5.3

Описание

In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when PHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like __Host confused with cookies that decode to such prefix, thus leading to an attacker being able to forge cookie which is supposed to be secure. See also CVE-2020-8184 for more information.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
Red Hat Enterprise Linux 5	php	Out of support scope
Red Hat Enterprise Linux 5	php53	Out of support scope
Red Hat Enterprise Linux 6	php	Out of support scope
Red Hat Enterprise Linux 7	php	Out of support scope
Red Hat Enterprise Linux 8	php:7.2/php	Fix deferred
Red Hat Enterprise Linux 8	php:7.3/php	Fix deferred
Red Hat Software Collections	rh-php72-php	Out of support scope
Red Hat Enterprise Linux 8	php	Fixed	RHSA-2021:4213	09.11.2021
Red Hat Software Collections for Red Hat Enterprise Linux 7	rh-php73-php	Fixed	RHSA-2021:2992	03.08.2021
Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS	rh-php73-php	Fixed	RHSA-2021:2992	03.08.2021

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Low

Дефект:

CWE-20

https://bugzilla.redhat.com/show_bug.cgi?id=1885738php: URL decoding of cookie names can lead to different interpretation of cookies between browser and server

5.3 Medium

CVSS3

Связанные уязвимости

CVE-2020-7070

CVSS3: 4.3

ubuntu

больше 4 лет назад

CVE-2020-7070

CVSS3: 4.3

nvd

больше 4 лет назад

CVE-2020-7070

CVSS3: 4.3

debian

больше 4 лет назад

In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below ...

SUSE-SU-2020:2920-1

suse-cvrf

больше 4 лет назад

Security update for php7

SUSE-SU-2020:2894-1

suse-cvrf

больше 4 лет назад

Security update for php5

5.3 Medium

CVSS3