CVE-2020-7067
out-of-bounds read when using a malformed url-encoded string
Publication Date | 2020-04-10 |
---|---|
Severity | Low |
Type | Information Disclosure |
Affected PHP Versions |
|
Fixed Product Versions |
|
CVE Details
In PHP versions 7.2.x below 7.2.30, 7.3.x below 7.3.17, and 7.4.x below 7.4.5, if PHP is compiled with EBCDIC support (uncommon), the urldecode()
function can be made to access locations past the allocated memory, due to erroneously using signed numbers as array indexes.
Recommendations
Upgrade to PHP 7.2.30 or above, 7.3.17 or above, or 7.4.5 or above.