CVE-2018-10546

MEDIUM

Description

An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. An infinite loop exists in ext/iconv/iconv.c because the iconv stream filter does not reject invalid multibyte sequences.

References

http://php.net/ChangeLog-5.php

http://php.net/ChangeLog-7.php

http://www.securityfocus.com/bid/104019

http://www.securitytracker.com/id/1040807

https://access.redhat.com/errata/RHSA-2019:2519

https://bugs.php.net/bug.php?id=76249

https://lists.debian.org/debian-lts-announce/2018/06/msg00005.html

https://security.gentoo.org/glsa/201812-01

https://security.netapp.com/advisory/ntap-20180607-0003/

https://usn.ubuntu.com/3646-1/

https://www.debian.org/security/2018/dsa-4240

https://www.tenable.com/security/tns-2018-12

Details

Source: MITRE

Published: 2018-04-29

Updated: 2019-10-03

Type: CWE-835

Risk Information

CVSS v2.0

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Impact Score: 2.9

Exploitability Score: 10

Severity: MEDIUM

CVSS v3.0

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Impact Score: 3.6

Exploitability Score: 3.9

Severity: HIGH

Vulnerable Software

ID	Name	Product	Family	Severity
124997	EulerOS Virtualization 3.0.1.0 : php (EulerOS-SA-2019-1544)	Nessus	Huawei Local Security Checks	critical
123717	EulerOS Virtualization 2.5.4 : php (EulerOS-SA-2019-1249)	Nessus	Huawei Local Security Checks	medium
123715	EulerOS Virtualization 2.5.3 : php (EulerOS-SA-2019-1247)	Nessus	Huawei Local Security Checks	medium
122692	EulerOS 2.0 SP5 : php (EulerOS-SA-2019-1069)	Nessus	Huawei Local Security Checks	medium
98868	PHP 7.2.x < 7.2.5 Multiple Vulnerabilities	Web Application Scanning	Component Vulnerability	medium
98860	PHP 7.1.x < 7.1.17 Multiple Vulnerabilities	Web Application Scanning	Component Vulnerability	medium
98849	PHP 7.0.x < 7.0.30 Multiple Vulnerabilities	Web Application Scanning	Component Vulnerability	medium
98826	PHP 5.6.x < 5.6.36 Multiple Vulnerabilities	Web Application Scanning	Component Vulnerability	medium
120886	Fedora 28 : php (2018-ee6707d519)	Nessus	Fedora Local Security Checks	medium
120023	SUSE SLES12 Security Update : php5 (SUSE-SU-2018:1291-1)	Nessus	SuSE Local Security Checks	medium
120021	SUSE SLES12 Security Update : php7 (SUSE-SU-2018:1176-1)	Nessus	SuSE Local Security Checks	medium
119320	GLSA-201812-01 : PHP: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	medium
117753	EulerOS 2.0 SP3 : php (EulerOS-SA-2018-1310)	Nessus	Huawei Local Security Checks	medium
117752	EulerOS 2.0 SP2 : php (EulerOS-SA-2018-1309)	Nessus	Huawei Local Security Checks	medium
117672	Tenable SecurityCenter < 5.7.1 Multiple Vulnerabilities (TNS-2018-12)	Nessus	Misc.	high
110928	Debian DSA-4240-1 : php7.0 - security update	Nessus	Debian Local Security Checks	high
110697	Debian DLA-1397-1 : php5 security update	Nessus	Debian Local Security Checks	high
109878	openSUSE Security Update : php5 (openSUSE-2018-465)	Nessus	SuSE Local Security Checks	medium
109871	Slackware 14.0 / 14.1 / 14.2 : php (SSA:2018-136-02)	Nessus	Slackware Local Security Checks	medium
109860	SUSE SLES11 Security Update : php53 (SUSE-SU-2018:1294-1)	Nessus	SuSE Local Security Checks	medium
109812	Ubuntu 14.04 LTS / 16.04 LTS / 17.10 / 18.04 LTS : php5, php7.0, php7.1, php7.2 vulnerabilities (USN-3646-1)	Nessus	Ubuntu Local Security Checks	medium
109714	openSUSE Security Update : php7 (openSUSE-2018-441)	Nessus	SuSE Local Security Checks	medium
109701	Amazon Linux AMI : php56 / php70,php71 (ALAS-2018-1019)	Nessus	Amazon Linux Local Security Checks	medium
109579	PHP 7.2.x < 7.2.5 Stack Buffer Overflow	Nessus	CGI abuses	medium
109578	PHP 7.1.x < 7.1.17 Multiple Vulnerabilities	Nessus	CGI abuses	medium
109577	PHP 7.0.x < 7.0.30 Multiple Vulnerabilities	Nessus	CGI abuses	medium
109576	PHP 5.6.x < 5.6.36 Multiple Vulnerabilities	Nessus	CGI abuses	medium
109560	Fedora 26 : php (2018-6071a600e8)	Nessus	Fedora Local Security Checks	medium
109559	Fedora 27 : php (2018-04f6056c42)	Nessus	Fedora Local Security Checks	medium