CVE-2017-11147 — CRITICAL (9.1)

Q: How severe is CVE-2017-11147?

CVE-2017-11147 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2017-11147?

Check the references section above for vendor advisories and patch information. Affected products include: Php Php, Netapp Clustered Data Ontap.

Vulnerability Description

In PHP before 5.6.30 and 7.x before 7.0.15, the PHAR archive handler could be used by attackers supplying malicious archive files to crash the PHP interpreter or potentially disclose information due to a buffer over-read in the phar_parse_pharfile function in ext/phar/phar.c.

CVSS Score

9.1

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Php	Php	< 5.6.30
Netapp	Clustered Data Ontap	-

Related Weaknesses (CWE)

CWE-125

References

http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=e5246580a85f031e1a3b8064edbaa55
http://openwall.com/lists/oss-security/2017/07/10/6Mailing ListPatchThird Party Advisory
http://php.net/ChangeLog-5.phpRelease NotesVendor Advisory
http://php.net/ChangeLog-7.phpRelease NotesVendor Advisory
http://www.securityfocus.com/bid/99607Third Party AdvisoryVDB Entry
https://access.redhat.com/errata/RHSA-2018:1296Third Party Advisory
https://bugs.php.net/bug.php?id=73773ExploitIssue TrackingVendor Advisory
https://security.netapp.com/advisory/ntap-20180112-0001/Third Party Advisory
https://www.tenable.com/security/tns-2017-12Third Party Advisory
http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=e5246580a85f031e1a3b8064edbaa55
http://openwall.com/lists/oss-security/2017/07/10/6Mailing ListPatchThird Party Advisory
http://php.net/ChangeLog-5.phpRelease NotesVendor Advisory
http://php.net/ChangeLog-7.phpRelease NotesVendor Advisory
http://www.securityfocus.com/bid/99607Third Party AdvisoryVDB Entry
https://access.redhat.com/errata/RHSA-2018:1296Third Party Advisory

FAQ

What is CVE-2017-11147?

CVE-2017-11147 is a vulnerability with a CVSS score of 9.1 (CRITICAL). In PHP before 5.6.30 and 7.x before 7.0.15, the PHAR archive handler could be used by attackers supplying malicious archive files to crash the PHP interpreter or potentially disclose information due t...

How severe is CVE-2017-11147?

CVE-2017-11147 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2017-11147?

Check the references section above for vendor advisories and patch information. Affected products include: Php Php, Netapp Clustered Data Ontap.