Alpine: php7: security update to 7.1.17-r0

high Tenable Cloud Security Plugin ID 406311

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before
7.2.5. exif_read_data in ext/exif/exif.c has an out-of-bounds read for crafted JPEG data because
exif_iif_add_value mishandles the case of a MakerNote that lacks a final '\0' character. (CVE-2018-10549)

- An issue was discovered in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before
7.2.1. There is Reflected XSS on the PHAR 404 error page via the URI of a request for a .phar file.
(CVE-2018-5712)

- An issue was discovered in PHP before 5.6.35, 7.0.x before 7.0.29, 7.1.x before 7.1.16, and 7.2.x before
7.2.4. Dumpable FPM child processes allow bypassing opcache access controls because fpm_unix.c makes a
PR_SET_DUMPABLE prctl call, allowing one user (in a multiuser environment) to obtain sensitive information
from the process memory of a second user's PHP applications by running gcore on the PID of the PHP-FPM
worker process. (CVE-2018-10545)

- An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before
7.2.5. An infinite loop exists in ext/iconv/iconv.c because the iconv stream filter does not reject
invalid multibyte sequences. (CVE-2018-10546)

- An issue was discovered in ext/phar/phar_object.c in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before
7.1.17, and 7.2.x before 7.2.5. There is Reflected XSS on the PHAR 403 and 404 error pages via request
data of a request for a .phar file. NOTE: this vulnerability exists because of an incomplete fix for
CVE-2018-5712. (CVE-2018-10547)

See Also

https://security.alpinelinux.org/vuln/CVE-2018-10545

https://security.alpinelinux.org/vuln/CVE-2018-10546

https://security.alpinelinux.org/vuln/CVE-2018-10547

https://security.alpinelinux.org/vuln/CVE-2018-10548

https://security.alpinelinux.org/vuln/CVE-2018-10549

https://security.alpinelinux.org/vuln/CVE-2018-5712

Plugin Details

Severity: High

ID: 406311

Version: Revision 1.24

Type: Local

Published: 10/31/2023

Updated: 3/13/2025

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2018-10549

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 1/16/2018

Reference Information

CVE: CVE-2018-10545, CVE-2018-10546, CVE-2018-10547, CVE-2018-10548, CVE-2018-10549, CVE-2018-5712

BID: 102742, 104019, 104020, 104022

IAVB: 2018-B-0010-S, 2018-B-0058-S