CVE-2020-7069 — MEDIUM (5.4)

Q: How severe is CVE-2020-7069?

CVE-2020-7069 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2020-7069?

Check the references section above for vendor advisories and patch information. Affected products include: Php Php, Fedoraproject Fedora, Debian Debian Linux, Opensuse Leap, Canonical Ubuntu Linux.

Vulnerability Description

In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when AES-CCM mode is used with openssl_encrypt() function with 12 bytes IV, only first 7 bytes of the IV is actually used. This can lead to both decreased security and incorrect encryption data.

CVSS Score

5.4

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Php	Php	>= 7.2.0, < 7.2.34
Fedoraproject	Fedora	31
Debian	Debian Linux	10.0
Opensuse	Leap	15.1
Canonical	Ubuntu Linux	12.04
Netapp	Clustered Data Ontap	-
Oracle	Communications Diameter Signaling Router	>= 8.0.0, <= 8.5.0
Tenable	Tenable.Sc	< 5.19.0

Related Weaknesses (CWE)

CWE-20 CWE-326

References

http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00045.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00067.htmlMailing ListThird Party Advisory
https://bugs.php.net/bug.php?id=79601Issue TrackingPatchVendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://security.gentoo.org/glsa/202012-16Third Party Advisory
https://security.netapp.com/advisory/ntap-20201016-0001/Third Party Advisory
https://usn.ubuntu.com/4583-1/Third Party Advisory
https://www.debian.org/security/2021/dsa-4856Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.htmlPatchThird Party Advisory
https://www.tenable.com/security/tns-2021-14Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00045.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00067.htmlMailing ListThird Party Advisory

FAQ

What is CVE-2020-7069?

CVE-2020-7069 is a vulnerability with a CVSS score of 5.4 (MEDIUM). In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when AES-CCM mode is used with openssl_encrypt() function with 12 bytes IV, only first 7 bytes of the IV is actually used...

How severe is CVE-2020-7069?

CVE-2020-7069 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-7069?

Check the references section above for vendor advisories and patch information. Affected products include: Php Php, Fedoraproject Fedora, Debian Debian Linux, Opensuse Leap, Canonical Ubuntu Linux.