7.2.27
7.3.14
7.4.2
CVE-2020-7059 describes a buffer overflow vulnerability affecting PHP versions 7.2.x (prior to 7.2.27), 7.3.x (prior to 7.3.14), and 7.4.x (prior to 7.4.2). This vulnerability arises within the fgetss() function when processing data with tag stripping enabled. An attacker can craft malicious input that causes the function to read beyond the allocated buffer, potentially leading to information disclosure or a denial-of-service crash.
Successful exploitation of CVE-2020-7059 could allow an attacker to read sensitive data from memory, potentially including configuration files, session data, or other confidential information. In some scenarios, the buffer overflow could also lead to a denial of service by crashing the PHP interpreter. The impact is particularly severe in environments where PHP is used to process user-supplied data, as this increases the likelihood of an attacker being able to craft a malicious input. While the CVSS score is medium, the potential for information disclosure makes this a significant concern.
CVE-2020-7059 was published on 2020-02-10. It is not currently listed on KEV or EPSS, suggesting a low probability of active exploitation. Public Proof-of-Concept (PoC) code may exist, but there are no widespread reports of exploitation campaigns targeting this specific vulnerability. The vulnerability affects a range of PHP versions, making it a potentially widespread concern.
Web applications relying on PHP versions 7.2.x, 7.3.x, or 7.4.x, particularly those that process user-supplied data with tag stripping enabled, are at risk. Shared hosting environments where multiple applications share the same PHP installation are also at increased risk, as a vulnerability in one application could potentially impact others.
• php: Examine PHP error logs for stack traces indicating buffer overflows or memory access violations when using fgetss() with tag stripping.
grep -i 'fgetss' /var/log/php_errors.log• linux / server: Monitor system resource usage (CPU, memory) for sudden spikes that could indicate a denial-of-service attack triggered by the vulnerability. Use top or htop to observe resource consumption.
• generic web: Inspect web application logs for unusual requests or error messages related to data processing or tag stripping. Use tools like tcpdump or Wireshark to analyze network traffic for suspicious patterns.
disclosure
Exploit-Status
EPSS
2.37% (85% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2020-7059 is to upgrade to PHP version 7.4.2 or later. If immediate upgrading is not possible, consider implementing stricter input validation on data processed by fgetss() with tag stripping. This could involve limiting the size of the input or sanitizing the data to remove potentially malicious characters. While a WAF might not directly prevent this vulnerability, it could be configured to detect and block requests containing unusually large or malformed input that could trigger the overflow. After upgrading, verify the fix by attempting to reproduce the vulnerability with a known malicious input and confirming that the application no longer crashes or discloses sensitive information.
Actualice a la última versión de PHP. Si está utilizando las versiones 7.2.x, actualice a la versión 7.2.27 o superior. Si está utilizando las versiones 7.3.x, actualice a la versión 7.3.14 o superior. Si está utilizando las versiones 7.4.x, actualice a la versión 7.4.2 o superior.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2020-7059 is a medium severity buffer overflow vulnerability in PHP versions 7.2.0–7.4.2 affecting the fgetss() function when stripping tags, potentially leading to information disclosure or crashes.
If you are using PHP versions 7.2.x prior to 7.2.27, 7.3.x prior to 7.3.14, or 7.4.x prior to 7.4.2, you are potentially affected by this vulnerability.
Upgrade to PHP 7.4.2 or later to remediate the vulnerability. Input validation can provide a temporary mitigation if immediate upgrade is not possible.
While there are public proof-of-concept exploits available, there is currently no evidence of active exploitation campaigns targeting this vulnerability.
Refer to the official PHP security advisory for details: https://security.php.net/CVE-2020-7059
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.