CVE-2020-7062

In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below 7.4.3, when using file upload functionality, if upload progress tracking is enabled, but session.upload_progress.cleanup is set to 0 (disabled), and the file upload fails, the upload procedure would try to clean up data that does not exist and encounter null pointer dereference, which would likely lead to a crash.

Weakness

The product dereferences a pointer that it expects to be valid but is NULL.

Affected Software

Name	Vendor	Start Version	End Version
Php	Php	7.2.0 (including)	7.2.27 (including)
Php	Php	7.3.0 (including)	7.3.14 (including)
Php	Php	7.4.0 (including)	7.4.2 (including)
Red Hat Enterprise Linux 8	RedHat	php:7.3-8020020200715124551.ceb1cf90	*
Red Hat Software Collections for Red Hat Enterprise Linux 7	RedHat	rh-php73-php-0:7.3.20-1.el7	*
Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS	RedHat	rh-php73-php-0:7.3.20-1.el7	*
Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS	RedHat	rh-php73-php-0:7.3.20-1.el7	*
Php5	Ubuntu	esm-infra-legacy/trusty	*
Php5	Ubuntu	trusty	*
Php5	Ubuntu	trusty/esm	*
Php7.0	Ubuntu	esm-infra/xenial	*
Php7.0	Ubuntu	xenial	*
Php7.2	Ubuntu	bionic	*
Php7.2	Ubuntu	esm-infra/bionic	*
Php7.3	Ubuntu	eoan	*
Php7.3	Ubuntu	upstream	*
Php7.4	Ubuntu	trusty	*
Php7.4	Ubuntu	upstream	*

NVD	https://nvd.nist.gov/vuln/detail/CVE-2020-7062
CWE	https://cwe.mitre.org/data/definitions/476.html

NULL Pointer Dereference

Weakness

Affected Software

Potential Mitigations

References