Plattform
php
Komponente
php
Behoben in
7.2.28
7.3.15
7.4.3
CVE-2020-7062 affects PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15, and 7.4.x below 7.4.3. The vulnerability arises when using the file upload functionality with upload progress tracking enabled, but session.upload_progress.cleanup is disabled (set to 0). If the file upload fails, the application attempts to clean up data that does not exist, resulting in a null pointer dereference and a likely crash.
The primary impact of CVE-2020-7062 is a denial of service (DoS) due to the application crashing. While the vulnerability does not directly lead to information disclosure, a crash can disrupt service availability and potentially impact other functionalities. The severity is heightened in environments where file uploads are a critical component of the application. An attacker could repeatedly trigger the upload failure condition to repeatedly crash the application, effectively rendering it unavailable. The null pointer dereference indicates a potential for more severe consequences if exploited in conjunction with other vulnerabilities.
CVE-2020-7062 was published on 2020-02-27. It is not currently listed on KEV or EPSS, suggesting a low probability of active exploitation. Public Proof-of-Concept (PoC) code may exist, but there are no widespread reports of exploitation campaigns targeting this specific vulnerability. The vulnerability affects a range of PHP versions, making it a potentially widespread concern.
Web applications utilizing PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15, and 7.4.x below 7.4.3, particularly those employing file upload functionality with progress tracking enabled, are at risk. Shared hosting environments running vulnerable PHP versions are also a significant concern.
• linux / server:
journalctl -u php7.4 -g "Null Pointer Dereference"• generic web:
curl -I https://your-php-application.com/upload.php | grep -i "PHP/7.4.2"disclosure
Exploit-Status
EPSS
1.16% (78% Perzentil)
CVSS-Vektor
The recommended mitigation for CVE-2020-7062 is to upgrade to PHP version 7.4.3 or later. If upgrading is not immediately feasible, consider enabling session.upload_progress.cleanup (set to 1) to ensure proper cleanup of upload data. Alternatively, disable upload progress tracking entirely if it is not essential for the application's functionality. A WAF might be configured to detect and block requests that exhibit suspicious upload patterns, but this is not a primary mitigation strategy. After upgrading, verify the fix by attempting to trigger a failed file upload and confirming that the application does not crash.
Actualice a la última versión de PHP. Específicamente, actualice a la versión 7.2.28 o superior, 7.3.15 o superior, o 7.4.3 o superior. Esto corrige la vulnerabilidad de desreferencia de puntero nulo.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2020-7062 is a vulnerability in PHP 7.4 and earlier versions that can cause a crash during file uploads when progress tracking is enabled but cleanup is disabled, leading to a denial-of-service.
You are affected if you are running PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15, or 7.4.x below 7.4.3 and using file upload functionality with progress tracking enabled.
Upgrade to PHP 7.4.3 or later to resolve the vulnerability. As a temporary workaround, you can disable session.upload_progress.cleanup, but this will disable upload progress tracking.
While no confirmed active exploitation campaigns are publicly known, the potential for DoS attacks makes it a concern, and proof-of-concept exploits are available.
Refer to the PHP security advisory at https://security.php.net/CVE-2020-7062 for detailed information and updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.