CVE-2020-7069

Advisory lineage Upstream: 0 Downstream: 15
Modified
Published: 02 Oct 2020, 14:14
Last modified:17 Sept 2024, 04:04

Vulnerability Summary

Overall Risk (default)
medium
28/100
CVSS Score
6.5 MEDIUM
v3.1 (nvd)
EPSS Score
8.35% LOW
8% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

02 Oct 2020, 14:14
Published
Vulnerability first disclosed
17 Sept 2024, 04:04
Last Modified
Vulnerability information updated

Description

In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when AES-CCM mode is used with openssl_encrypt() function with 12 bytes IV, only first 7 bytes of the IV is actually used. This can lead to both decreased security and incorrect encryption data.

CVSS Metrics

  • v3.1MEDIUMScore: 5.4CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
  • v3.1MEDIUMScore: 6.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
  • v2.0MEDIUMScore: 6.4AV:N/AC:L/Au:N/C:P/I:P/A:N

EPSS Trends

Current EPSS score: 8.35% Percentile: 92%

Techniques & Countermeasures

  • CWE-326Inadequate Encryption Strength

    The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

  • CWE-20Improper Input Validation

    The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Affected Systems

  • canonicalubuntu_linux

    12.04 | 14.04 | 16.04 | 18.04 | 20.04

  • debiandebian_linux

    10.0

  • fedoraprojectfedora

    31 | 32 | 33

  • netappclustered_data_ontap

    na

  • opensuseleap

    15.1 | 15.2

  • oraclecommunications_diameter_signaling_router

    ≥ 8.0.0, ≤ 8.5.0

  • UnknownPHP

    ≥ 7.3.x, < 7.3.23 | ≥ 7.4.x, < 7.4.11 | ≥ 7.2.x, < 7.2.34

  • UnknownPHP

    ≥ 7.2.0, < 7.2.34 | ≥ 7.3.0, < 7.3.23 | ≥ 7.4.0, < 7.4.11

  • tenabletenable.sc

    < 5.19.0

References (13)