CVE-2020-7070

Description

In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when PHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like __Host confused with cookies that decode to such prefix, thus leading to an attacker being able to forge cookie which is supposed to be secure. See also CVE-2020-8184 for more information.

CVSS Metrics

• v3.1•MEDIUM•Score: 4.3CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
• v3.1•MEDIUM•Score: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
• v2.0•MEDIUM•Score: 5AV:N/AC:L/Au:N/C:N/I:P/A:N

EPSS Trends

Current EPSS score: 26.09%• Percentile: 96%

Techniques & Countermeasures

• CWE-565•Reliance on Cookies without Validation and Integrity Checking

  The product relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user.

• CWE-20•Improper Input Validation

  The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Affected Systems

• canonical•ubuntu_linux

  12.04 | 14.04 | 16.04 | 18.04 | 20.04

• debian•debian_linux

  9.0 | 10.0

• fedoraproject•fedora

  31 | 32 | 33

• netapp•clustered_data_ontap

  na

• opensuse•leap

  15.1 | 15.2

• Unknown•PHP

  ≥ 7.3.x, < 7.3.23 | ≥ 7.4.x, < 7.4.11 | ≥ 7.2.x, < 7.2.34

• Unknown•PHP

  ≥ 7.2.0, < 7.2.34 | ≥ 7.3.0, < 7.3.23 | ≥ 7.4.0, < 7.4.11

• tenable•tenable.sc

  < 5.19.0

References (15)

• https://hackerone.com/reports/895727
• https://bugs.php.net/bug.php?id=79699
• http://cve.circl.lu/cve/CVE-2020-8184
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RRU57N3OSYZPOMFWPRDNVH7EMYOTSZ66/
• https://lists.debian.org/debian-lts-announce/2020/10/msg00008.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7EVDN7D3IB4EAI4D3ZOM2OJKQ5SD7K4E/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2J3ZZDHCSX65T5QWV4AHBN7MOJXBEKG/
• http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00045.html
• https://usn.ubuntu.com/4583-1/
• http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00067.html
• https://security.gentoo.org/glsa/202012-16
• https://www.debian.org/security/2021/dsa-4856
• https://security.netapp.com/advisory/ntap-20201016-0001/
• https://www.oracle.com/security-alerts/cpuoct2021.html
• https://www.tenable.com/security/tns-2021-14