Alpine: php7: security update to 7.2.5-r0

high Tenable Self-Hosted Container Security Plugin ID 406330

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- An issue was discovered in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before
7.2.1. There is Reflected XSS on the PHAR 404 error page via the URI of a request for a .phar file.
(CVE-2018-5712)

- An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before
7.2.5. An infinite loop exists in ext/iconv/iconv.c because the iconv stream filter does not reject
invalid multibyte sequences. (CVE-2018-10546)

- An issue was discovered in ext/phar/phar_object.c in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before
7.1.17, and 7.2.x before 7.2.5. There is Reflected XSS on the PHAR 403 and 404 error pages via request
data of a request for a .phar file. NOTE: this vulnerability exists because of an incomplete fix for
CVE-2018-5712. (CVE-2018-10547)

- An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before
7.2.5. ext/ldap/ldap.c allows remote LDAP servers to cause a denial of service (NULL pointer dereference
and application crash) because of mishandling of the ldap_get_dn return value. (CVE-2018-10548)

- An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before
7.2.5. exif_read_data in ext/exif/exif.c has an out-of-bounds read for crafted JPEG data because
exif_iif_add_value mishandles the case of a MakerNote that lacks a final '\0' character. (CVE-2018-10549)

See Also

https://security.alpinelinux.org/vuln/CVE-2018-10546

https://security.alpinelinux.org/vuln/CVE-2018-10547

https://security.alpinelinux.org/vuln/CVE-2018-10548

https://security.alpinelinux.org/vuln/CVE-2018-10549

https://security.alpinelinux.org/vuln/CVE-2018-5712

Plugin Details

Severity: High

ID: 406330

Version: Revision 1.24

Type: Local

Published: 10/31/2023

Updated: 3/13/2025

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.15

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2018-10549

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 1/16/2018

Reference Information

CVE: CVE-2018-10546, CVE-2018-10547, CVE-2018-10548, CVE-2018-10549, CVE-2018-5712

BID: 102742, 104019, 104020

IAVB: 2018-B-0010-S, 2018-B-0058-S