CVE-2020-7069

Public on 2020-10-26
Modified on 2020-10-27
Description
In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when AES-CCM mode is used with openssl_encrypt() function with 12 bytes IV, only first 7 bytes of the IV is actually used. This can lead to both decreased security and incorrect encryption data.
Severity
Medium
CVSS v3 Base Score
6.5
See breakdown

Affected Packages

Platform Package Release Date Advisory
Amazon Linux 1 php72 2020-10-26 18:16 ALAS-2020-1440
Amazon Linux 1 php73 2020-10-26 18:16 ALAS-2020-1440

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
NVD CVSSv2 6.4 AV:N/AC:L/Au:N/C:P/I:P/A:N
NVD CVSSv3 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N