Vulnerability Details CVE-2020-7059
When using fgetss() function to read data with stripping tags, in PHP versions 7.2.x below 7.2.27, 7.3.x below 7.3.14 and 7.4.x below 7.4.2 it is possible to supply data that will cause this function to read past the allocated buffer. This may lead to information disclosure or crash.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.019
EPSS Ranking 82.0%
CVSS Severity
CVSS v3 Score 6.5
CVSS v2 Score 6.4
References
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00023.html
- https://bugs.php.net/bug.php?id=79099
- https://lists.debian.org/debian-lts-announce/2020/02/msg00030.html
- https://seclists.org/bugtraq/2020/Feb/27
- https://seclists.org/bugtraq/2020/Feb/31
- https://seclists.org/bugtraq/2021/Jan/3
- https://security.gentoo.org/glsa/202003-57
- https://security.netapp.com/advisory/ntap-20200221-0002/
- https://usn.ubuntu.com/4279-1/
- https://www.debian.org/security/2020/dsa-4626
- https://www.debian.org/security/2020/dsa-4628
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.tenable.com/security/tns-2021-14
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00023.html
- https://bugs.php.net/bug.php?id=79099
- https://lists.debian.org/debian-lts-announce/2020/02/msg00030.html
- https://seclists.org/bugtraq/2020/Feb/27
- https://seclists.org/bugtraq/2020/Feb/31
- https://seclists.org/bugtraq/2021/Jan/3
- https://security.gentoo.org/glsa/202003-57
- https://security.netapp.com/advisory/ntap-20200221-0002/
- https://usn.ubuntu.com/4279-1/
- https://www.debian.org/security/2020/dsa-4626
- https://www.debian.org/security/2020/dsa-4628
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.tenable.com/security/tns-2021-14
Products affected by CVE-2020-7059
-
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.0
-
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.0.0
-
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.0.0.0
-
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.1
-
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2
-
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2.1
-
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2.2
-
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.3
-
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.3.0.0
-
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.4
-
cpe:2.3:a:php:php:7.2.0
-
cpe:2.3:a:php:php:7.2.1
-
cpe:2.3:a:php:php:7.2.10
-
cpe:2.3:a:php:php:7.2.11
-
cpe:2.3:a:php:php:7.2.12
-
cpe:2.3:a:php:php:7.2.13
-
cpe:2.3:a:php:php:7.2.14
-
cpe:2.3:a:php:php:7.2.15
-
cpe:2.3:a:php:php:7.2.16
-
cpe:2.3:a:php:php:7.2.17
-
cpe:2.3:a:php:php:7.2.18
-
cpe:2.3:a:php:php:7.2.19
-
cpe:2.3:a:php:php:7.2.2
-
cpe:2.3:a:php:php:7.2.20
-
cpe:2.3:a:php:php:7.2.21
-
cpe:2.3:a:php:php:7.2.22
-
cpe:2.3:a:php:php:7.2.23
-
cpe:2.3:a:php:php:7.2.24
-
cpe:2.3:a:php:php:7.2.25
-
cpe:2.3:a:php:php:7.2.26
-
cpe:2.3:a:php:php:7.2.3
-
cpe:2.3:a:php:php:7.2.4
-
cpe:2.3:a:php:php:7.2.5
-
cpe:2.3:a:php:php:7.2.6
-
cpe:2.3:a:php:php:7.2.7
-
cpe:2.3:a:php:php:7.2.8
-
cpe:2.3:a:php:php:7.2.9
-
cpe:2.3:a:php:php:7.3.0
-
cpe:2.3:a:php:php:7.3.1
-
cpe:2.3:a:php:php:7.3.10
-
cpe:2.3:a:php:php:7.3.11
-
cpe:2.3:a:php:php:7.3.12
-
cpe:2.3:a:php:php:7.3.13
-
cpe:2.3:a:php:php:7.3.2
-
cpe:2.3:a:php:php:7.3.3
-
cpe:2.3:a:php:php:7.3.4
-
cpe:2.3:a:php:php:7.3.5
-
cpe:2.3:a:php:php:7.3.6
-
cpe:2.3:a:php:php:7.3.7
-
cpe:2.3:a:php:php:7.3.8
-
cpe:2.3:a:php:php:7.3.9
-
cpe:2.3:a:php:php:7.4.0
-
cpe:2.3:a:php:php:7.4.1
-
cpe:2.3:a:tenable:tenable.sc:-
-
cpe:2.3:a:tenable:tenable.sc:5.13.0
-
cpe:2.3:a:tenable:tenable.sc:5.14.0
-
cpe:2.3:a:tenable:tenable.sc:5.14.1
-
cpe:2.3:a:tenable:tenable.sc:5.16.0
-
cpe:2.3:a:tenable:tenable.sc:5.17.0
-
cpe:2.3:a:tenable:tenable.sc:5.18.0
-
cpe:2.3:o:debian:debian_linux:8.0
-
cpe:2.3:o:opensuse:leap:15.1