rpm package
suse/php7&distro=SUSE Linux Enterprise Server for SAP Applications 15 SP2
pkg:rpm/suse/php7&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2
Vulnerabilities (27)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-21704 | Med | 5.0 | < 7.4.33-150200.3.46.2 | 7.4.33-150200.3.46.2 | Oct 4, 2021 | In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using Firebird PDO driver extension, a malicious database server could cause crashes in various database functions, such as getAttribute(), execute(), fetch() and others by returning invalid respon | |
| CVE-2021-21702 | Med | 5.3 | < 7.4.33-150200.3.46.2 | 7.4.33-150200.3.46.2 | Feb 15, 2021 | In PHP versions 7.3.x below 7.3.27, 7.4.x below 7.4.15 and 8.0.x below 8.0.2, when using SOAP extension to connect to a SOAP server, a malicious SOAP server could return malformed XML data as a response that would cause PHP to access a null pointer and thus cause a crash. | |
| CVE-2020-7071 | Med | 5.3 | < 7.4.33-150200.3.46.2 | 7.4.33-150200.3.46.2 | Feb 15, 2021 | In PHP versions 7.3.x below 7.3.26, 7.4.x below 7.4.14 and 8.0.0, when validating URL with functions like filter_var($url, FILTER_VALIDATE_URL), PHP will accept an URL with invalid password as valid URL. This may lead to functions that rely on URL being valid to mis-parse the URL | |
| CVE-2020-7070 | Med | 4.3 | < 7.4.33-150200.3.46.2 | 7.4.33-150200.3.46.2 | Oct 2, 2020 | In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when PHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like __Host confused with cookies that decode to such prefix, thus leading t | |
| CVE-2020-7069 | Med | 5.4 | < 7.4.33-150200.3.46.2 | 7.4.33-150200.3.46.2 | Oct 2, 2020 | In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when AES-CCM mode is used with openssl_encrypt() function with 12 bytes IV, only first 7 bytes of the IV is actually used. This can lead to both decreased security and incorrect encryption data. | |
| CVE-2020-7068 | Med | 4.8 | < 7.4.33-150200.3.46.2 | 7.4.33-150200.3.46.2 | Sep 9, 2020 | In PHP versions 7.2.x below 7.2.33, 7.3.x below 7.3.21 and 7.4.x below 7.4.9, while processing PHAR files using phar extension, phar_parse_zipfile could be tricked into accessing freed memory, which could lead to a crash or information disclosure. | |
| CVE-2017-8923 | Cri | 9.8 | < 7.4.33-150200.3.46.2 | 7.4.33-150200.3.46.2 | May 12, 2017 | The zend_string_extend function in Zend/zend_string.h in PHP through 7.1.5 does not prevent changes to string objects that result in a negative length, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact by leve |
- affected < 7.4.33-150200.3.46.2fixed 7.4.33-150200.3.46.2
In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using Firebird PDO driver extension, a malicious database server could cause crashes in various database functions, such as getAttribute(), execute(), fetch() and others by returning invalid respon
- affected < 7.4.33-150200.3.46.2fixed 7.4.33-150200.3.46.2
In PHP versions 7.3.x below 7.3.27, 7.4.x below 7.4.15 and 8.0.x below 8.0.2, when using SOAP extension to connect to a SOAP server, a malicious SOAP server could return malformed XML data as a response that would cause PHP to access a null pointer and thus cause a crash.
- affected < 7.4.33-150200.3.46.2fixed 7.4.33-150200.3.46.2
In PHP versions 7.3.x below 7.3.26, 7.4.x below 7.4.14 and 8.0.0, when validating URL with functions like filter_var($url, FILTER_VALIDATE_URL), PHP will accept an URL with invalid password as valid URL. This may lead to functions that rely on URL being valid to mis-parse the URL
- affected < 7.4.33-150200.3.46.2fixed 7.4.33-150200.3.46.2
In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when PHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like __Host confused with cookies that decode to such prefix, thus leading t
- affected < 7.4.33-150200.3.46.2fixed 7.4.33-150200.3.46.2
In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when AES-CCM mode is used with openssl_encrypt() function with 12 bytes IV, only first 7 bytes of the IV is actually used. This can lead to both decreased security and incorrect encryption data.
- affected < 7.4.33-150200.3.46.2fixed 7.4.33-150200.3.46.2
In PHP versions 7.2.x below 7.2.33, 7.3.x below 7.3.21 and 7.4.x below 7.4.9, while processing PHAR files using phar extension, phar_parse_zipfile could be tricked into accessing freed memory, which could lead to a crash or information disclosure.
- affected < 7.4.33-150200.3.46.2fixed 7.4.33-150200.3.46.2
The zend_string_extend function in Zend/zend_string.h in PHP through 7.1.5 does not prevent changes to string objects that result in a negative length, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact by leve
Page 2 of 2