Korean
<< Back
VID 22952
Severity 30
Port 80, ...
Protocol TCP
Class CGI
Detailed Description According to its self-reported version number, the version of PHP running on the remote web server is 7.2.x prior to 7.2.34, 7.3.x prior to 7.3.23 or 7.4.x prior to 7.4.11. It is, therefore, affected by multiple vulnerabilties:

- A weak cryptography vulnerability exists in PHP's openssl_encrypt function due to a failure to utilize all provided IV bytes. An unauthenticated, remote attacker could exploit this to reduce the level of security provided by the encryption scheme or affect the integrity of the encrypted data (CVE-2020-7069).

- A cookie forgery vulnerability exists in PHP's HTTP processing functionality. An unauthenticated, remote could expoit this to forge HTTP cookies which were supposed to be secure. (CVE-2020-7070)

* References:
http://bugs.php.net/79601
http://bugs.php.net/79699
https://www.php.net/ChangeLog-7.php#7.2.34
https://www.php.net/ChangeLog-7.php#7.3.23
https://www.php.net/ChangeLog-7.php#7.4.11

* Platforms Affected:
PHP Prior to 7.3.23
Any operating system Any version
Recommendation Upgrade to the latest version of PHP (7.3.23 or later), available from the PHP web site at http://www.php.net/downloads.php
Related URL CVE-2020-7069,CVE-2020-7070 (CVE)
Related URL (SecurityFocus)
Related URL (ISS)