CVE-2020-7067

out-of-bounds read when using a malformed url-encoded string

Publication Date 2020-04-10
Severity Low
Type Information Disclosure
Affected PHP Versions
  • 5.6.0 - 5.6.40
  • 7.0.0 - 7.0.33
  • 7.1.0 - 7.1.33
  • 7.2.0 - 7.2.29
  • 7.3.0 - 7.3.16
  • 7.4.0 - 7.4.4
Fixed Product Versions
  • ZendPHP 5.6
  • ZendPHP 7.1
  • ZendPHP 7.2
  • ZendPHP 7.3
  • ZendPHP 7.4
  • ZendServer 2019.0.5

CVE Details

In PHP versions 7.2.x below 7.2.30, 7.3.x below 7.3.17, and 7.4.x below 7.4.5, if PHP is compiled with EBCDIC support (uncommon), the urldecode() function can be made to access locations past the allocated memory, due to erroneously using signed numbers as array indexes.

Recommendations

Upgrade to PHP 7.2.30 or above, 7.3.17 or above, or 7.4.5 or above.