CVE-2020-7070

NameCVE-2020-7070
DescriptionIn PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when PHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like __Host confused with cookies that decode to such prefix, thus leading to an attacker being able to forge cookie which is supposed to be secure. See also CVE-2020-8184 for more information.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-2397-1, DSA-4856-1
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
php7.0 (PTS)stretch7.0.33-0+deb9u8vulnerable
stretch (security)7.0.33-0+deb9u12fixed
php7.3 (PTS)buster, buster (security)7.3.31-1~deb10u1fixed
php7.4 (PTS)bullseye (security), bullseye7.4.28-1+deb11u1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
php7.0sourcestretch7.0.33-0+deb9u10DLA-2397-1
php7.0source(unstable)(unfixed)
php7.3sourcebuster7.3.27-1~deb10u1DSA-4856-1
php7.3source(unstable)(unfixed)
php7.4source(unstable)7.4.11-1

Notes

Fixed in PHP 7.4.11, 7.3.23, 7.2.34
PHP Bug: https://bugs.php.net/79699
https://git.php.net/?p=php-src.git;a=commit;h=6559fe912661ca5ce5f0eeeb591d928451428ed0
Search for package or bug name: Reporting problems