CVE-2020-7064 Use-of-uninitialized-value in exif

2020-02-1700:00:00

CWE-125

php

www.cve.org

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

6.8 Medium

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

72.3%

JSON

In PHP versions 7.2.x below 7.2.9, 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while parsing EXIF data with exif_read_data() function, it is possible for malicious data to cause PHP to read one byte of uninitialized memory. This could potentially lead to information disclosure or crash.

CNA Affected

[
  {
    "product": "PHP",
    "vendor": "PHP Group",
    "versions": [
      {
        "lessThan": "7.3.16",
        "status": "affected",
        "version": "7.3.x",
        "versionType": "custom"
      },
      {
        "lessThan": "7.4.4",
        "status": "affected",
        "version": "7.4.x",
        "versionType": "custom"
      },
      {
        "lessThan": "7.2.29",
        "status": "affected",
        "version": "7.2.x",
        "versionType": "custom"
      }
    ]
  }
]