PT-2017-2598 · Php+7 · Php+7

Published

2017-05-12

·

Updated

2026-02-24

·

CVE-2017-8923

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions PHP versions through 7.1.5
Description The issue is related to the zend string extend function in PHP, which does not prevent changes to string objects that result in a negative length. This allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact by leveraging a script's use of .= with a long string. The vulnerability can be exploited by using a specially crafted script that utilizes the .= operation with a long string.
Recommendations For PHP versions through 7.1.5, update to a version that contains a fix for this issue to prevent potential denial of service or other impacts. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

DoS

RCE

Memory Corruption

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-20CWE-787

Related Identifiers

ALT-PU-2021-2876
ALT-PU-2021-2887
ALT-PU-2021-2943
ALT-PU-2021-2971
ALT-PU-2021-3645
BDU:2017-01814
CESA-2023_2903
CVE-2017-8923
OPENSUSE-SU-2022:0699-1
OPENSUSE-SU-2022_0679-1
OPENSUSE-SU-2022_0699-1
OPENSUSE-SU-2022_4067-1
OPENSUSE-SU-2022_4069-1
RHSA-2023:2903
RHSA-2023_2903
SUSE-SU-2022:0530-1
SUSE-SU-2022:0577-1
SUSE-SU-2022:0679-1
SUSE-SU-2022:0699-1
SUSE-SU-2022:4067-1
SUSE-SU-2022:4068-1
SUSE-SU-2022:4069-1
SUSE-SU-2022_0530-1
SUSE-SU-2022_0699-1
USN-5300-1
USN-5300-2
USN-5300-3

Affected Products

Alt Linux
Centos
Linuxmint
Php
Red Hat
Rocky Linux
Suse
Ubuntu