SB2020051426 - Amazon Linux AMI update for php72

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2020051426

SB2020051426 - Amazon Linux AMI update for php72

Published: May 14, 2020

Security Bulletin ID SB2020051426
Severity
Medium
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Medium 33% Low 67%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.


1) Out-of-bounds read (CVE-ID: CVE-2020-7064)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition within exif_read_data() PHP function. A remote attacker can pass specially crafted data to the application that uses the vulnerable function, trigger one byte out-of-bounds read error and read contents of memory on the system.


2) Input validation error (CVE-ID: CVE-2020-7066)

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to get_headers() PHP function silently truncates headers after receiving a NULL byte character. A remote attacker can abuse this behavior to bypass implemented security restrictions with in the application.


3) Out-of-bounds read (CVE-ID: CVE-2020-7067)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition when processing untrusted input passed to urldecode() PHP function. A remote attacker can send specially crafted data to the application that uses the affected function and gain access to sensitive information on the system


Remediation

Install update from vendor's website.

References