Attacker Value
Low
(1 user assessed)
Exploitability
Very Low
(1 user assessed)
User Interaction
Required
Privileges Required
None
Attack Vector
Network
0

CVE-2020-7065

Disclosure Date: March 17, 2020
CVE-2020-7065 CVSS v3 Base Score: 8.8
Exploited in the Wild
Reported by Cabir13
View Source Details
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

In PHP versions 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while using mb_strtolower() function with UTF-32LE encoding, certain invalid strings could cause PHP to overwrite stack-allocated buffer. This could lead to memory corruption, crashes and potentially code execution.

Add Assessment

1
Ratings
  • Attacker Value
    Low
  • Exploitability
    Very Low
Common in enterprise
Technical Analysis

With a CVSS base score of 7.4 and 1.7 million code hits from a Github search, this is looking like it has potential.

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
8.8 High
Impact Score:
5.9
Exploitability Score:
2.8
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
Required
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
PHP 7.3.16
PHP 7.4.4
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • canonical,
  • debian,
  • php,
  • tenable

Products

  • debian linux 10.0,
  • php,
  • tenable.sc,
  • ubuntu linux 12.04,
  • ubuntu linux 14.04,
  • ubuntu linux 16.04,
  • ubuntu linux 18.04,
  • ubuntu linux 19.10,
  • ubuntu linux 20.04

Exploited in the Wild

Reported by:
Technical Analysis