Vulnerability Description
A type confusion vulnerability in the merge_param() function of php_http_params.c in PHP's pecl-http extension 3.1.0beta2 (PHP 7) and earlier as well as 2.6.0beta2 (PHP 5) and earlier allows attackers to crash PHP and possibly execute arbitrary code via crafted HTTP requests.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Php | Ext-Http | <= 2.5.6 |
Related Weaknesses (CWE)
References
- https://bugs.php.net/bug.php?id=73055ExploitMailing ListVendor Advisory
- https://bugs.php.net/bug.php?id=73055&edit=1ExploitVendor Advisory
- https://github.com/m6w6/ext-http/commit/17137d4ab1ce81a2cee0fae842340a344ef3da83PatchThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2019/09/msg00022.html
- https://bugs.php.net/bug.php?id=73055ExploitMailing ListVendor Advisory
- https://bugs.php.net/bug.php?id=73055&edit=1ExploitVendor Advisory
- https://github.com/m6w6/ext-http/commit/17137d4ab1ce81a2cee0fae842340a344ef3da83PatchThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2019/09/msg00022.html
FAQ
What is CVE-2016-7398?
CVE-2016-7398 is a vulnerability with a CVSS score of 9.8 (CRITICAL). A type confusion vulnerability in the merge_param() function of php_http_params.c in PHP's pecl-http extension 3.1.0beta2 (PHP 7) and earlier as well as 2.6.0beta2 (PHP 5) and earlier allows attackers...
How severe is CVE-2016-7398?
CVE-2016-7398 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2016-7398?
Check the references section above for vendor advisories and patch information. Affected products include: Php Ext-Http.