Select your cookie preferences

We use cookies and similar tools to enhance your experience, provide our services, deliver relevant advertising, and make improvements. Approved third parties also use these tools to help us deliver advertising and provide certain site features.

CVE-2020-7070

Public on 2020-10-02
Modified on 2020-10-27
Description

In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when PHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like __Host confused with cookies that decode to such prefix, thus leading to an attacker being able to forge cookie which is supposed to be secure. See also CVE-2020-8184 for more information.

Severity
Low
See what this means
CVSS v3 Base Score
5.3
See breakdown
Continue reading

Affected Packages

Platform Package Release Date Advisory
Amazon Linux 1 php72 2020-10-26 18:16 ALAS-2020-1440
Amazon Linux 1 php73 2020-10-26 18:16 ALAS-2020-1440

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
NVD CVSSv2 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N
NVD CVSSv3 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N