CVE-2017-16642
high-risk
Published 2017-11-07
In PHP before 5.6.32, 7.x before 7.0.25, and 7.1.x before 7.1.11, an error in the date extension's timelib_meridian handling of 'front of' and 'back of' directives could be used by attackers able to supply date strings to leak information from the interpreter, related to ext/date/lib/parse_date.c out-of-bounds reads affecting the php_parse_date function. NOTE: this is a different issue than CVE-2017-11145.
Do I need to act?
~
8.3% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
!
1 public exploit available
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10
High
NETWORK
/ LOW complexity
Affected Products (6)
References (26)
Issue Tracking
http://php.net/ChangeLog-5.php
Issue Tracking
http://php.net/ChangeLog-7.php
Third Party Advisory
http://www.securityfocus.com/bid/101745
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1296
Issue Tracking
https://bugs.php.net/bug.php?id=75055
Third Party Advisory
https://security.netapp.com/advisory/ntap-20181123-0001/
Third Party Advisory
https://usn.ubuntu.com/3566-1/
Third Party Advisory
https://www.debian.org/security/2018/dsa-4080
Third Party Advisory
https://www.debian.org/security/2018/dsa-4081
Issue Tracking
http://php.net/ChangeLog-5.php
Issue Tracking
http://php.net/ChangeLog-7.php
Third Party Advisory
http://www.securityfocus.com/bid/101745
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1296
Issue Tracking
https://bugs.php.net/bug.php?id=75055
and 6 more references
56
/ 100
high-risk
Severity
26/34 · High
Exploitability
17/34 · Moderate
Exposure
13/34 · Low