CVE-2018-17082 — MEDIUM (6.1)

Q: How severe is CVE-2018-17082?

CVE-2018-17082 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2018-17082?

Check the references section above for vendor advisories and patch information. Affected products include: Php Php, Debian Debian Linux, Netapp Storage Automation Store.

Vulnerability Description

The Apache2 component in PHP before 5.6.38, 7.0.x before 7.0.32, 7.1.x before 7.1.22, and 7.2.x before 7.2.10 allows XSS via the body of a "Transfer-Encoding: chunked" request, because the bucket brigade is mishandled in the php_handler function in sapi/apache2handler/sapi_apache2.c.

CVSS Score

6.1

MEDIUM

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Php	Php	< 5.6.38
Debian	Debian Linux	8.0
Netapp	Storage Automation Store	-

Related Weaknesses (CWE)

CWE-79

References

http://php.net/ChangeLog-5.phpRelease Notes
http://php.net/ChangeLog-7.phpRelease Notes
https://access.redhat.com/errata/RHSA-2019:2519
https://bugs.php.net/bug.php?id=76582ExploitIssue TrackingVendor Advisory
https://github.com/php/php-src/commit/23b057742e3cf199612fa8050ae86cae675e214ePatchVendor Advisory
https://lists.debian.org/debian-lts-announce/2018/09/msg00020.htmlMailing ListThird Party Advisory
https://security.gentoo.org/glsa/201812-01Third Party Advisory
https://security.netapp.com/advisory/ntap-20180924-0001/Third Party Advisory
https://www.debian.org/security/2018/dsa-4353Third Party Advisory
https://www.tenable.com/security/tns-2019-07
http://php.net/ChangeLog-5.phpRelease Notes
http://php.net/ChangeLog-7.phpRelease Notes
https://access.redhat.com/errata/RHSA-2019:2519
https://bugs.php.net/bug.php?id=76582ExploitIssue TrackingVendor Advisory
https://github.com/php/php-src/commit/23b057742e3cf199612fa8050ae86cae675e214ePatchVendor Advisory

FAQ

What is CVE-2018-17082?

CVE-2018-17082 is a vulnerability with a CVSS score of 6.1 (MEDIUM). The Apache2 component in PHP before 5.6.38, 7.0.x before 7.0.32, 7.1.x before 7.1.22, and 7.2.x before 7.2.10 allows XSS via the body of a "Transfer-Encoding: chunked" request, because the bucket brig...

How severe is CVE-2018-17082?

CVE-2018-17082 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-17082?

Check the references section above for vendor advisories and patch information. Affected products include: Php Php, Debian Debian Linux, Netapp Storage Automation Store.