CVE-2020-7066: 
PHP vulnerability analysis and mitigation

In PHP versions 7.2.x below 7.2.29, 7.3.x below 7.3.16 and 7.4.x below 7.4.4, a vulnerability was discovered in the get_headers() function when handling user-supplied URLs. If the URL contains a null byte character (\0), the URL will be silently truncated at that point (PHP Bug, NVD).

The vulnerability affects the get_headers() PHP function when processing URLs containing null bytes. When such a URL is provided, the function silently truncates the URL at the null byte position without providing any warning or error message. This behavior could lead to incorrect URL processing and potentially cause security issues. The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N (Ubuntu Security).

The vulnerability could cause software to make incorrect assumptions about the target of the get_headers() function, potentially leading to information being sent to an unintended server. This may result in sensitive information disclosure to wrong destinations (Debian Security).

The vulnerability has been fixed in PHP versions 7.2.29, 7.3.16, and 7.4.4. Users are advised to upgrade their PHP installations to these versions or later. Multiple Linux distributions have released security updates to address this vulnerability, including Ubuntu, Debian, and OpenSUSE (Debian Security, Ubuntu Security).