Vulnerability CVE-2017-11146
Published: 2017-07-10

Description:
In PHP through 5.6.31, 7.x through 7.0.21, and 7.1.x through 7.1.7, lack of bounds checks in the date extension's timelib_meridian parsing code could be used by attackers able to supply date strings to leak information from the interpreter, related to ext/date/lib/parse_date.c out-of-bounds reads affecting the php_parse_date function. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-11145.

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
5/10
2.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None
Affected software
PHP -> PHP 

 References:
http://openwall.com/lists/oss-security/2017/07/10/6
http://www.securityfocus.com/bid/99612
https://bugs.php.net/bug.php?id=74819
https://gist.github.com/anonymous/bd77ac90d3bdf31ce2a5251ad92e9e75
Copyright 2024, cxsecurity.com

 

Back to Top