CVE-2020-7069

Name of the Vulnerable Software and Affected Versions: PHP versions 7.2.x below 7.2.34 PHP versions 7.3.x below 7.3.23 PHP versions 7.4.x below 7.4.11

Description: The issue is related to the openssl encrypt() function in PHP when used with AES-CCM mode and a 12-byte initialization vector (IV). Only the first 7 bytes of the IV are actually used, which can lead to decreased security and incorrect encryption data. This can allow a remote attacker to access and compromise confidential data.

Recommendations: For PHP versions 7.2.x below 7.2.34, update to version 7.2.34 or later. For PHP versions 7.3.x below 7.3.23, update to version 7.3.23 or later. For PHP versions 7.4.x below 7.4.11, update to version 7.4.11 or later. As a temporary workaround, consider avoiding the use of the openssl encrypt() function with AES-CCM mode and 12-byte IV until a patch is available. Restrict access to sensitive data to minimize the risk of exploitation.