CVE-2017-11142

high-risk
Published 2017-07-10

In PHP before 5.6.31, 7.x before 7.0.17, and 7.1.x before 7.1.3, remote attackers could cause a CPU consumption denial of service attack by injecting long form variables, related to main/php_variables.c.

Do I need to act?

!
50.0% chance of exploitation in next 30 days
EPSS score — higher than 50% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10 High
NETWORK / LOW complexity

Affected Products (20)

Php
Php
Php
Php
Php
Php
Php
Php
Php
Php
Php
Php
Php
Php
Php
Php
Php
Php
Php
Php

Affected Vendors

Php

References (20)

Mailing List http://openwall.com/lists/oss-security/2017/07/10/6
Release Notes http://php.net/ChangeLog-5.php
Release Notes http://php.net/ChangeLog-7.php
http://www.securityfocus.com/bid/99601
Vendor Advisory https://bugs.php.net/bug.php?id=73807
Patch https://github.com/php/php-src/commit/0f8cf3b8497dc45c010c44ed9e96518e11e19fc3
Patch https://github.com/php/php-src/commit/a15bffd105ac28fd0dd9b596632dbf035238fda3
https://security.netapp.com/advisory/ntap-20180112-0001/
https://www.debian.org/security/2018/dsa-4081
https://www.tenable.com/security/tns-2017-12
Mailing List http://openwall.com/lists/oss-security/2017/07/10/6
Release Notes http://php.net/ChangeLog-5.php
Release Notes http://php.net/ChangeLog-7.php
http://www.securityfocus.com/bid/99601
Vendor Advisory https://bugs.php.net/bug.php?id=73807
Patch https://github.com/php/php-src/commit/0f8cf3b8497dc45c010c44ed9e96518e11e19fc3
Patch https://github.com/php/php-src/commit/a15bffd105ac28fd0dd9b596632dbf035238fda3
https://security.netapp.com/advisory/ntap-20180112-0001/
https://www.debian.org/security/2018/dsa-4081
https://www.tenable.com/security/tns-2017-12
64
/ 100
high-risk
Severity 26/34 · High
Exploitability 18/34 · Moderate
Exposure 20/34 · Moderate