Main Vulnerability Database SB2020100220

SB2020100220 - Cryptographic issues in php7 (Alpine package)

Published: October 2, 2020

Security Bulletin ID SB2020100220

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Cryptographic issues (CVE-ID: CVE-2020-7069)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to the openssl_encrypt() function generates a wrong ciphertext and a wrong tag for AES-CCM for a 12 bytes IV. As a result, a 7-byte nonce is used instead of 12 bytes. A remote attacker can abuse such behavior and decrypt data.

Remediation

Install update from vendor's website.

References

https://git.alpinelinux.org/aports/commit/?id=fea14b992879a919d81e6500b16721f9ecf084b7