In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when PHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like __Host confused with cookies that decode to such prefix, thus leading to an attacker being able to forge cookie which is supposed to be secure. See also CVE-2020-8184 for more information. Reference: https://bugs.php.net/bug.php?id=79699
Created php tracking bugs for this issue: Affects: fedora-all [bug 1885741]
Notice: this fix introduce a behavior change, as cookie names are no more decoded, which may break application relying on this (wrong) behavior
Upstream commit for this issue: https://git.php.net/?p=php-src.git;a=commit;h=6559fe912661ca5ce5f0eeeb591d928451428ed0
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:2992 https://access.redhat.com/errata/RHSA-2021:2992
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-7070
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4213 https://access.redhat.com/errata/RHSA-2021:4213