CVE-2015-8617

high-risk
Published 2016-01-19

Format string vulnerability in the zend_throw_or_error function in Zend/zend_execute_API.c in PHP 7.x before 7.0.1 allows remote attackers to execute arbitrary code via format string specifiers in a string that is misused as a class name, leading to incorrect error handling.

Do I need to act?

!
27.1% chance of exploitation in next 30 days
EPSS score — higher than 73% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
!
1 public exploit available
39082
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (1)

Php

Affected Vendors

Php

References (8)

Vendor Advisory http://php.net/ChangeLog-7.php
http://www.securitytracker.com/id/1034543
Exploit https://bugs.php.net/bug.php?id=71105
https://github.com/php/php-src/commit/b101a6bbd4f2181c360bd38e7683df4a03cba83e
Vendor Advisory http://php.net/ChangeLog-7.php
http://www.securitytracker.com/id/1034543
Exploit https://bugs.php.net/bug.php?id=71105
https://github.com/php/php-src/commit/b101a6bbd4f2181c360bd38e7683df4a03cba83e
52
/ 100
high-risk
Severity 32/34 · Critical
Exploitability 15/34 · Moderate
Exposure 5/34 · Minimal