6.5
CVE-2020-7069
- EPSS 8.35%
- Published 02.10.2020 15:15:12
- Last modified 21.11.2024 05:36:36
- Source security@php.net
- Teams watchlist Login
- Open Login
In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when AES-CCM mode is used with openssl_encrypt() function with 12 bytes IV, only first 7 bytes of the IV is actually used. This can lead to both decreased security and incorrect encryption data.
Data is provided by the National Vulnerability Database (NVD)
Fedoraproject ≫ Fedora Version31
Fedoraproject ≫ Fedora Version32
Fedoraproject ≫ Fedora Version33
Debian ≫ Debian Linux Version10.0
Canonical ≫ Ubuntu Linux Version12.04 SwEdition-
Canonical ≫ Ubuntu Linux Version14.04 SwEditionesm
Canonical ≫ Ubuntu Linux Version16.04 SwEditionlts
Canonical ≫ Ubuntu Linux Version18.04 SwEditionlts
Canonical ≫ Ubuntu Linux Version20.04 SwEditionlts
Netapp ≫ Clustered Data Ontap Version-
Oracle ≫ Communications Diameter Signaling Router Version >= 8.0.0 <= 8.5.0
Tenable ≫ Tenable.Sc Version < 5.19.0
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 8.35% | 0.919 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 6.5 | 3.9 | 2.5 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
|
| nvd@nist.gov | 6.4 | 10 | 4.9 |
AV:N/AC:L/Au:N/C:P/I:P/A:N
|
| security@php.net | 5.4 | 2.8 | 2.5 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
|
CWE-20 Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-326 Inadequate Encryption Strength
The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.