CVE-2020-7060

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2020-7060
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-7060.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2020-7060
Aliases
Downstream
Related
Published
2020-02-10T08:15:12.797Z
Modified
2026-04-16T04:32:44.221004436Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVSS Calculator
Summary
[none]
Details

When using certain mbstring functions to convert multibyte encodings, in PHP versions 7.2.x below 7.2.27, 7.3.x below 7.3.14 and 7.4.x below 7.4.2 it is possible to supply data that will cause function mbflfiltconvbig5wchar to read past the allocated buffer. This may lead to information disclosure or crash.

References

Affected packages

Git / github.com/php/php-src

Affected ranges

Type
GIT
Repo
https://github.com/php/php-src
Events
Introduced
8148cbb78841c8ec0759c0836e7f35dec799d300
Fixed
40c86aa3af2e25971e9c13460ca874348456410d
Introduced
52ace952a1b65ca80fc2617f11c2fa6dd03f51bd
Fixed
4b2854db6fd2fae5a950ae7ce25257ee08cee916
Introduced
3c7824e16ec4c3cee417262445d2c2b66531c10f
Fixed
264ef4f16300270dd4e92d2510660836a4814579
Introduced
5dc92c2117cafc61daaaaa240fd46c3ac33872a4
Last affected
b437f2b32eb364c9496d24abcc734272e5c9c980
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
5dc92c2117cafc61daaaaa240fd46c3ac33872a4
Database specific 
{
    "versions": [
        {
            "introduced": "7.2.0"
        },
        {
            "fixed": "7.2.27"
        },
        {
            "introduced": "7.3.0"
        },
        {
            "fixed": "7.3.14"
        },
        {
            "introduced": "7.4.0"
        },
        {
            "fixed": "7.4.2"
        },
        {
            "introduced": "8.0"
        },
        {
            "last_affected": "8.4"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "8.0"
        }
    ]
}

Affected versions

Other
POST_64BIT_BRANCH_MERGE
POST_AST_MERGE
POST_PHP7_NSAPI_REMOVAL
POST_PHP7_REMOVALS
POST_PHPNG_MERGE
PRE_64BIT_BRANCH_MERGE
PRE_AST_MERGE
PRE_PHP7_EREG_MYSQL_REMOVALS
PRE_PHP7_NSAPI_REMOVAL
PRE_PHP7_REMOVALS
security-audit-2024
php-7.*
php-7.3.14RC1
php-8.*
php-8.0.0
php-8.4.0

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-7060.json"
unresolved_ranges 
[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "fixed": "5.19.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "15.1"
            }
        ]
    }
]