CVE-2020-7065

CVSS v2.0

High

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions PHP versions 7.3.x below 7.3.16 PHP versions 7.4.x below 7.4.4

Description The issue is related to the use of the mb strtolower() function with UTF-32LE encoding in PHP. Certain invalid strings could cause PHP to overwrite the stack-allocated buffer, leading to memory corruption, crashes, and potentially code execution. This could allow a remote attacker to execute arbitrary code.

Recommendations For PHP versions 7.3.x below 7.3.16, update to version 7.3.16 or later to resolve the issue. For PHP versions 7.4.x below 7.4.4, update to version 7.4.4 or later to resolve the issue. As a temporary workaround, consider avoiding the use of the mb strtolower() function with UTF-32LE encoding until a patch is available.

Exploit

Fix

Memory Corruption

Stack Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-787CWE-121

Related Identifiers

ALSA-2020:3662

ALT-PU-2020-1562

ALT-PU-2020-1603

BDU:2020-01677

BIT-LIBPHP-2020-7065

BIT-PHP-2020-7065

BIT-PHP-MIN-2020-7065

CESA-2020_3662

CVE-2020-7065

DSA-4719-1

MGASA-2020-0148

RHSA-2020:3662

RHSA-2020:5275

RHSA-2020_3662

RLSA-2020:3662

USN-4330-1

USN-4330-2

Affected Products

Alt Linux

Almalinux

Centos

Linuxmint

Php

Red Hat

Rocky Linux

Ubuntu

CVE-2020-7065

Weakness Enumeration

Related Identifiers

Affected Products

References · 87