CVE-2020-7065 | Zend by Perforce

by using mb_strtolower() function with UTF-32LE encoding leads to potential code execution

Publication Date	2020-04-01
Severity	High
Type	Remote Code Execution
Affected PHP Versions	7.3.0 - 7.3.15 7.4.0 - 7.4.3
Fixed Product Versions	ZendPHP 5.6 ZendPHP 7.1 ZendPHP 7.2 ZendPHP 7.3 ZendPHP 7.4 ZendServer 2019.0.5

CVE Details

In PHP versions 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while using the mb_strtolower() function with UTF-32LE encoding, certain invalid strings could cause PHP to overwrite a stack-allocated buffer. This could lead to memory corruption, crashes, and potentially code execution.

Recommendations

Upgrade to 7.3.16 or above, or 7.4.4 or above.

< View all CVEs