Vulnerability Description
In PHP before 5.6.31, an invalid free in the WDDX deserialization of boolean parameters could be used by attackers able to inject XML for deserialization to crash the PHP interpreter, related to an invalid free for an empty boolean element in ext/wddx/wddx.c.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Php | Php | <= 5.6.30 |
Related Weaknesses (CWE)
References
- http://openwall.com/lists/oss-security/2017/07/10/6Mailing ListPatchThird Party Advisory
- http://php.net/ChangeLog-5.phpRelease NotesVendor Advisory
- http://www.securityfocus.com/bid/99553
- https://access.redhat.com/errata/RHSA-2018:1296
- https://bugs.php.net/bug.php?id=74145Issue TrackingPatchVendor Advisory
- https://git.php.net/?p=php-src.git%3Ba=commit%3Bh=2aae60461c2ff7b7fbcdd194c789ac
- https://security.netapp.com/advisory/ntap-20180112-0001/
- https://www.debian.org/security/2018/dsa-4081
- https://www.tenable.com/security/tns-2017-12
- http://openwall.com/lists/oss-security/2017/07/10/6Mailing ListPatchThird Party Advisory
- http://php.net/ChangeLog-5.phpRelease NotesVendor Advisory
- http://www.securityfocus.com/bid/99553
- https://access.redhat.com/errata/RHSA-2018:1296
- https://bugs.php.net/bug.php?id=74145Issue TrackingPatchVendor Advisory
- https://git.php.net/?p=php-src.git%3Ba=commit%3Bh=2aae60461c2ff7b7fbcdd194c789ac
FAQ
What is CVE-2017-11143?
CVE-2017-11143 is a vulnerability with a CVSS score of 7.5 (HIGH). In PHP before 5.6.31, an invalid free in the WDDX deserialization of boolean parameters could be used by attackers able to inject XML for deserialization to crash the PHP interpreter, related to an in...
How severe is CVE-2017-11143?
CVE-2017-11143 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-11143?
Check the references section above for vendor advisories and patch information. Affected products include: Php Php.