Fluid Attacks Database

Description

In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when PHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like __Host confused with cookies that decode to such prefix, thus leading to an attacker being able to forge cookie which is supposed to be secure. See also CVE-2020-8184 for more information.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	php7.4	>=0 <7.4.11-1	7.4.11-1
rpm rhel5	php	-	-
rpm rhel6	php	-	-
rpm rhel8	php	-	-
rpm rhel5	php53	-	-
rpm rhel7	php	-	-

Aliases

1. CVE-2020-70702. NVD-2020-70703. OSV-DEBIAN-2020-70704. OSV-2020-70705. SECURITY-TRACKER-CVE-2020-7070

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.