CVE-2020-7070 MEDIUM

CVE-2020-7070: PHP parses encoded cookie names so malicious `__Host-` cookies can be sent

Vendor Php Group

Product PHP

Weakness CWE-20 · Input validation

Published October 2, 2020

Last update September 16, 2024

View on NVD All CVEs

CVSS base score

4.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality None

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when PHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like __Host confused with cookies that decode to such prefix, thus leading to an attacker being able to forge cookie which is supposed to be secure. See also CVE-2020-8184 for more information.

Key dates

02Disclosure timeline

October 2, 2020 CVE published

September 16, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2020-7070

Related vulnerabilities

Identifiers

CVE CVE-2020-7070

CWE CWE-20

CVSS 4.3 / MEDIUM

Affected versions

Vendor Php Group

Product PHP

Affected ≥ 7.3.x and < 7.3.23

Vendor Php Group

Product PHP

Affected ≥ 7.4.x and < 7.4.11

Vendor Php Group

Product PHP

Affected ≥ 7.2.x and < 7.2.34

CVE-2020-7070: PHP parses encoded cookie names so malicious `__Host-` cookies can be sent

01Description

02Disclosure timeline

03References

04Related CVE