CVE-2017-11142

high
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

In PHP before 5.6.31, 7.x before 7.0.17, and 7.1.x before 7.1.3, remote attackers could cause a CPU consumption denial of service attack by injecting long form variables, related to main/php_variables.c.

References

http://openwall.com/lists/oss-security/2017/07/10/6

http://php.net/ChangeLog-5.php

http://php.net/ChangeLog-7.php

http://www.securityfocus.com/bid/99601

https://bugs.php.net/bug.php?id=73807

https://github.com/php/php-src/commit/0f8cf3b8497dc45c010c44ed9e96518e11e19fc3

https://github.com/php/php-src/commit/a15bffd105ac28fd0dd9b596632dbf035238fda3

https://security.netapp.com/advisory/ntap-20180112-0001/

https://www.debian.org/security/2018/dsa-4081

https://www.tenable.com/security/tns-2017-12

Details

Source: MITRE

Published: 2017-07-10

Updated: 2018-01-14

Type: CWE-400

Risk Information

CVSS v2

Base Score: 7.8

Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C

Impact Score: 6.9

Exploitability Score: 10

Severity: HIGH

CVSS v3

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Impact Score: 3.6

Exploitability Score: 3.9

Severity: HIGH

Tenable Plugins

View all (8 total)

IDNameProductFamilySeverity
122541PHP 7.1.x < 7.1.3 Denial of Service VulnerabilityNessusCGI abuses
high
122537PHP 7.0.x < 7.0.17 Denial of Service VulnerabilityNessusCGI abuses
high
98822PHP 5.6.x < 5.6.31 Multiple VulnerabilitiesWeb Application ScanningComponent Vulnerability
critical
120003SUSE SLES12 Security Update : php7 (SUSE-SU-2017:2303-1)NessusSuSE Local Security Checks
high
105664Debian DSA-4081-1 : php5 - security updateNessusDebian Local Security Checks
critical
103121Tenable SecurityCenter PHP < 5.6.31 Multiple Vulnerabilities (TNS-2017-12NessusMisc.
critical
102947openSUSE Security Update : php7 (openSUSE-2017-994)NessusSuSE Local Security Checks
critical
101525PHP 5.6.x < 5.6.31 Multiple VulnerabilitiesNessusCGI abuses
critical