PT-2017-4176 · Php+2 · Php+2

Varsleak

·

Published

2017-07-10

·

Updated

2018-05-04

·

CVE-2017-11143

CVSS v2.0

7.8

High

VectorAV:N/AC:L/Au:N/C:N/I:N/A:C
Name of the Vulnerable Software and Affected Versions PHP versions prior to 5.6.31
Description The issue is related to flaws in the deserialization mechanism of the PHP programming language interpreter. It may allow a remote attacker to cause a denial of service by injecting XML for deserialization, potentially crashing the PHP interpreter due to an invalid free for an empty boolean element.
Recommendations For PHP versions prior to 5.6.31, update to version 5.6.31 or later to resolve the issue. As a temporary workaround, consider restricting the deserialization of boolean parameters to minimize the risk of exploitation.

Fix

Deserialization of Untrusted Data

Use After Free

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-502CWE-416

Related Identifiers

BDU:2022-02419
CVE-2017-11143
DLA-1034-1
DSA-4081-1
RHSA-2018:1296
SUSE-SU-2017:2317-1
USN-3382-1
USN-3382-2

Affected Products

Php
Suse
Ubuntu