CVE-2020-7065

Public on 2020-04-01
Modified on 2020-05-14
Description
A vulnerability was found in PHP while using the mb_strtolower() function with UTF-32LE encoding, where certain invalid strings cause PHP to overwrite the stack-allocated buffer. This flaw leads to memory corruption, crashes, and potential code execution.
Severity
Medium severity
Medium
CVSS v3 Base Score
8.8
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 1 php73 2020-05-08 ALAS-2020-1368 Fixed

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
NVD CVSSv3 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
NVD CVSSv2 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P