Plattform
php
Komponente
php
Behoben in
7.3.16
7.4.4
CVE-2020-7065 describes a stack buffer overflow vulnerability within the mb_strtolower() function in PHP when using UTF-32LE encoding. This flaw can be triggered by specific invalid strings, leading to memory corruption, crashes, and potentially arbitrary code execution. This issue affects PHP versions 7.3.0 through 7.3.15 and 7.4.0 through 7.4.3. The vulnerability is resolved in PHP version 7.4.4.
An attacker can exploit CVE-2020-7065 by crafting a malicious string encoded in UTF-32LE and passing it to the mb_strtolower() function. The resulting buffer overflow can overwrite critical data on the stack, potentially allowing the attacker to hijack control flow and execute arbitrary code. The severity of this vulnerability is high due to the potential for remote code execution. Successful exploitation could lead to complete compromise of the affected PHP application and the underlying server. This is particularly concerning in web applications where user input is directly processed by PHP scripts.
CVE-2020-7065 was published on April 1, 2020. There are currently no publicly known active campaigns exploiting this vulnerability. No public Proof-of-Concept (POC) code has been widely released. The vulnerability's severity is rated as HIGH based on the CVSS score. It is not currently listed on CISA’s Known Exploited Vulnerabilities catalog (KEV).
Exploit-Status
EPSS
5.02% (90% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2020-7065 is to upgrade to PHP version 7.4.4 or later. If an immediate upgrade is not possible, carefully review and sanitize all user input before passing it to the mb_strtolower() function, especially when dealing with UTF-32LE encoded strings. Consider using alternative string manipulation functions that are less susceptible to buffer overflows. Web Application Firewalls (WAFs) can be configured to detect and block requests containing potentially malicious UTF-32LE encoded strings. After upgrading, confirm the fix by attempting to process a known malicious UTF-32LE string and verifying that no stack overflow occurs.
Actualice a PHP versión 7.3.16 o superior, o a la versión 7.4.4 o superior. Esto corregirá la vulnerabilidad de desbordamiento de búfer en la función mb_strtolower con codificación UTF-32LE.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2020-7065 is a vulnerability in PHP where the mb_strtolower() function, when used with UTF-32LE encoding and certain invalid strings, can lead to a stack buffer overflow.
You are affected if you are running PHP versions 7.3.x below 7.3.16 or 7.4.x below 7.4.4.
Upgrade to PHP 7.4.4 or later to resolve this vulnerability.
Currently, there are no publicly available exploitation reports or proof-of-concept code for CVE-2020-7065.
Refer to the National Vulnerability Database (NVD) entry at https://nvd.nist.gov/vuln/detail/CVE-2020-7065 and the PHP security advisory for more information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.