CVE-2017-11144
high-risk
Published 2017-07-10
In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, the openssl extension PEM sealing code did not check the return value of the OpenSSL sealing function, which could lead to a crash of the PHP interpreter, related to an interpretation conflict for a negative number in ext/openssl/openssl.c, and an OpenSSL documentation omission.
Do I need to act?
!
41.6% chance of exploitation in next 30 days
EPSS score — higher than 58% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10
High
NETWORK
/ LOW complexity
Affected Products (20)
Affected Vendors
References (24)
Mailing List
http://openwall.com/lists/oss-security/2017/07/10/6
Release Notes
http://php.net/ChangeLog-5.php
Release Notes
http://php.net/ChangeLog-7.php
Third Party Advisory
https://bugs.php.net/bug.php?id=74651
Mailing List
http://openwall.com/lists/oss-security/2017/07/10/6
Release Notes
http://php.net/ChangeLog-5.php
Release Notes
http://php.net/ChangeLog-7.php
Third Party Advisory
https://bugs.php.net/bug.php?id=74651
and 4 more references
65
/ 100
high-risk
Severity
26/34 · High
Exploitability
17/34 · Moderate
Exposure
22/34 · High