CVE-2020-7069

MEDIUM

PHP 7.2.0-7.2.33, 7.3.0-7.3.22, 7.4.0-7.4.10 - Inadequate Encryption Strength in AES-CCM Mode

Title source: llm
STIX 2.1

Description

In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when AES-CCM mode is used with openssl_encrypt() function with 12 bytes IV, only first 7 bytes of the IV is actually used. This can lead to both decreased security and incorrect encryption data.

References (13)

Core 13
Core References
Issue Tracking, Patch, Vendor Advisory x_refsource_misc
https://bugs.php.net/bug.php?id=79601
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00045.html
Third Party Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/4583-1/
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00067.html
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/202012-16
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2021/dsa-4856
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuApr2021.html
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20201016-0001/
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuoct2021.html
Third Party Advisory x_refsource_confirm
https://www.tenable.com/security/tns-2021-14

Scores

CVSS v3 5.4
EPSS 0.0835
EPSS Percentile 92.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Details

CWE
CWE-326 CWE-20
Status published
Products (15)
canonical/ubuntu_linux 12.04
canonical/ubuntu_linux 14.04
canonical/ubuntu_linux 16.04
canonical/ubuntu_linux 18.04
canonical/ubuntu_linux 20.04
debian/debian_linux 10.0
fedoraproject/fedora 31
fedoraproject/fedora 32
fedoraproject/fedora 33
netapp/clustered_data_ontap
... and 5 more
Published Oct 02, 2020
Tracked Since Feb 18, 2026