CVE-2020-7067 HIGH

CVE-2020-7067: OOB Read in urldecode()

Vendor Php Group
Product PHP
Weakness CWE-125
Published April 27, 2020
Last update September 17, 2024

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

In PHP versions 7.2.x below 7.2.30, 7.3.x below 7.3.17 and 7.4.x below 7.4.5, if PHP is compiled with EBCDIC support (uncommon), urldecode() function can be made to access locations past the allocated memory, due to erroneously using signed numbers as array indexes.

Key dates

02Disclosure timeline

April 27, 2020 CVE published
September 17, 2024 Record updated