CVE-2020-7066 - OpenCVE

In PHP versions 7.2.x below 7.2.29, 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while using get_headers() with user-supplied URL, if the URL contains zero (\0) character, the URL will be silently truncated at it. This may cause some software to make incorrect assumptions about the target of the get_headers() and possibly send some information to a wrong server.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Debian	Debian Linux
Php	Php
Tenable	Tenable.sc
Opensuse	Leap

Configuration 1 [-]

OR	cpe:2.3:a:php:php::::::::
	cpe:2.3:a:php:php::::::::
	cpe:2.3:a:php:php::::::::

Configuration 2 [-]

OR	cpe:2.3:a:tenable:tenable.sc::::::::
	cpe:2.3:a:tenable:tenable.sc:5.19.0:::::::*

Configuration 3 [-]

cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*

Configuration 4 [-]

OR	cpe:2.3:o:debian:debian_linux:8.0:::::::*
	cpe:2.3:o:debian:debian_linux:9.0:::::::*
	cpe:2.3:o:debian:debian_linux:10.0:::::::*

References

Link	Resource
http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00025.html	Third Party Advisory
https://bugs.php.net/bug.php?id=79329	Exploit Issue Tracking Patch Vendor Advisory
https://lists.debian.org/debian-lts-announce/2020/04/msg00021.html	Third Party Advisory
https://security.netapp.com/advisory/ntap-20200403-0001/	Third Party Advisory
https://usn.ubuntu.com/4330-2/	Third Party Advisory
https://www.debian.org/security/2020/dsa-4717	Third Party Advisory
https://www.debian.org/security/2020/dsa-4719	Third Party Advisory
https://www.tenable.com/security/tns-2021-14	Patch Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: php

Published: 2020-03-17T00:00:00

Updated: 2021-07-22T17:06:30

Reserved: 2020-01-15T00:00:00

Link: CVE-2020-7066

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-04-01T04:15:14.020

Modified: 2022-05-08T23:51:59.500

Link: CVE-2020-7066

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "PHP", "vendor": "PHP Group", "versions": [{"status": "affected", "version": "7.2.x below 7.2.29"}, {"status": "affected", "version": "7.3.x below 7.3.16"}, {"status": "affected", "version": "7.4.x below 7.4.4"}]}], "credits": [{"lang": "en", "value": "64796c6e69 at gmail dot com"}], "datePublic": "2020-03-17T00:00:00", "descriptions": [{"lang": "en", "value": "In PHP versions 7.2.x below 7.2.29, 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while using get_headers() with user-supplied URL, if the URL contains zero (\\0) character, the URL will be silently truncated at it. This may cause some software to make incorrect assumptions about the target of the get_headers() and possibly send some information to a wrong server."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-170", "description": "CWE-170 Improper Null Termination", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-07-22T17:06:30", "orgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b", "shortName": "php"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://bugs.php.net/bug.php?id=79329"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20200403-0001/"}, {"name": "[debian-lts-announce] 20200426 [SECURITY] [DLA 2188-1] php5 security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00021.html"}, {"name": "USN-4330-2", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/4330-2/"}, {"name": "openSUSE-SU-2020:0642", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00025.html"}, {"name": "DSA-4717", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2020/dsa-4717"}, {"name": "DSA-4719", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2020/dsa-4719"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.tenable.com/security/tns-2021-14"}], "source": {"defect": ["https://bugs.php.net/bug.php?id=79329"], "discovery": "EXTERNAL"}, "title": "get_headers() silently truncates after a null byte", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@php.net", "DATE_PUBLIC": "2020-03-17T05:39:00.000Z", "ID": "CVE-2020-7066", "STATE": "PUBLIC", "TITLE": "get_headers() silently truncates after a null byte"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "PHP", "version": {"version_data": [{"version_value": "7.2.x below 7.2.29"}, {"version_value": "7.3.x below 7.3.16"}, {"version_value": "7.4.x below 7.4.4"}]}}]}, "vendor_name": "PHP Group"}]}}, "credit": [{"lang": "eng", "value": "64796c6e69 at gmail dot com"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In PHP versions 7.2.x below 7.2.29, 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while using get_headers() with user-supplied URL, if the URL contains zero (\\0) character, the URL will be silently truncated at it. This may cause some software to make incorrect assumptions about the target of the get_headers() and possibly send some information to a wrong server."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-170 Improper Null Termination"}]}]}, "references": {"reference_data": [{"name": "https://bugs.php.net/bug.php?id=79329", "refsource": "MISC", "url": "https://bugs.php.net/bug.php?id=79329"}, {"name": "https://security.netapp.com/advisory/ntap-20200403-0001/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20200403-0001/"}, {"name": "[debian-lts-announce] 20200426 [SECURITY] [DLA 2188-1] php5 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00021.html"}, {"name": "USN-4330-2", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4330-2/"}, {"name": "openSUSE-SU-2020:0642", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00025.html"}, {"name": "DSA-4717", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2020/dsa-4717"}, {"name": "DSA-4719", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2020/dsa-4719"}, {"name": "https://www.tenable.com/security/tns-2021-14", "refsource": "CONFIRM", "url": "https://www.tenable.com/security/tns-2021-14"}]}, "source": {"defect": ["https://bugs.php.net/bug.php?id=79329"], "discovery": "EXTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "dd77f84a-d19a-4638-8c3d-a322d820ed2b", "assignerShortName": "php", "cveId": "CVE-2020-7066", "datePublished": "2020-03-17T00:00:00", "dateReserved": "2020-01-15T00:00:00", "dateUpdated": "2021-07-22T17:06:30", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "matchCriteriaId": "A758E148-563D-4E04-A321-71FB7622314F", "versionEndExcluding": "7.2.29", "versionStartIncluding": "7.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "matchCriteriaId": "ECF918F4-EEAF-4F96-A49A-D367D549C52B", "versionEndExcluding": "7.3.16", "versionStartIncluding": "7.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "matchCriteriaId": "F809DF30-2CCC-4E3D-819B-75E5E0827E45", "versionEndExcluding": "7.4.4", "versionStartIncluding": "7.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tenable:tenable.sc:*:*:*:*:*:*:*:*", "matchCriteriaId": "41DBA7C7-8084-45F6-B59D-13A9022C34DF", "versionEndExcluding": "5.19.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:tenable:tenable.sc:5.19.0:*:*:*:*:*:*:*", "matchCriteriaId": "0D04D487-429B-4A0F-8B86-EBD355555EDF", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*", "matchCriteriaId": "B620311B-34A3-48A6-82DF-6F078D7A4493", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In PHP versions 7.2.x below 7.2.29, 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while using get_headers() with user-supplied URL, if the URL contains zero (\\0) character, the URL will be silently truncated at it. This may cause some software to make incorrect assumptions about the target of the get_headers() and possibly send some information to a wrong server."}, {"lang": "es", "value": "En las versiones de PHP 7.2.x anterior a la versi\u00f3n 7.2.29, 7.3.x anterior a 7.3.16 y 7.4.x anterior a 7.4.4, mientras usa get_headers () con la URL suministrada por el usuario, si la URL contiene un car\u00e1cter cero (\\ 0), el La URL se truncar\u00e1 silenciosamente en ella. Esto puede hacer que algunos programas hagan suposiciones incorrectas sobre el objetivo de get_headers () y posiblemente env\u00eden informaci\u00f3n a un servidor incorrecto."}], "id": "CVE-2020-7066", "lastModified": "2022-05-08T23:51:59.500", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@php.net", "type": "Secondary"}]}, "published": "2020-04-01T04:15:14.020", "references": [{"source": "security@php.net", "tags": ["Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00025.html"}, {"source": "security@php.net", "tags": ["Exploit", "Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://bugs.php.net/bug.php?id=79329"}, {"source": "security@php.net", "tags": ["Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00021.html"}, {"source": "security@php.net", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20200403-0001/"}, {"source": "security@php.net", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/4330-2/"}, {"source": "security@php.net", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2020/dsa-4717"}, {"source": "security@php.net", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2020/dsa-4719"}, {"source": "security@php.net", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.tenable.com/security/tns-2021-14"}], "sourceIdentifier": "security@php.net", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-170"}], "source": "security@php.net", "type": "Secondary"}]}