CVE-2020-7062
NULL pointer dereference in PHP session upload progress
Publication Date | 2020-02-04 |
---|---|
Severity | Moderate |
Type | Denial of Service |
Affected PHP Versions |
|
Fixed Product Versions |
|
CVE Details
In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15, and 7.4.x below 7.4.3, when using file upload functionality, if upload progress tracking is enabled, but session.upload_progress.cleanup
is set to 0 (disabled) and the file upload fails, the upload procedure would try to clean up data that does not exist and encounter a null pointer dereference, which would likely lead to a crash.
Recommendations
Set the session.upload_progress.cleanup
INI value to 1 (enabled).
When possible, upgrade to 7.2.28 or above, 7.3.15 or above, or 7.4.3 or above.