CVE-2017-11143
Published: 10 July 2017
In PHP before 5.6.31, an invalid free in the WDDX deserialization of boolean parameters could be used by attackers able to inject XML for deserialization to crash the PHP interpreter, related to an invalid free for an empty boolean element in ext/wddx/wddx.c.
Notes
| Author | Note |
|---|---|
| mdeslaur | only affected 5.6 |
Priority
Medium
CVSS 3 base score: 7.5
Status
| Package | Release | Status |
|---|---|---|
|
php5 Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
| precise |
Released
(5.3.10-1ubuntu3.28)
|
|
| trusty |
Released
(5.5.9+dfsg-1ubuntu4.22)
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
| yakkety |
Does not exist
|
|
| zesty |
Does not exist
|
|
|
Patches: upstream: http://git.php.net/?p=php-src.git;a=commit;h=2aae60461c2ff7b7fbcdd194c789ac841d0747d7 upstream: http://git.php.net/?p=php-src.git;a=commit;h=f269cdcd4f76accbecd03884f327cffb9a7f1ca9 |
||
|
php7.0 Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Not vulnerable
(5.6 only)
|
|
| yakkety |
Ignored
(reached end-of-life)
|
|
| zesty |
Not vulnerable
(5.6 only)
|
|
|
php7.1 Launchpad, Ubuntu, Debian |
artful |
Not vulnerable
(5.6 only)
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
| yakkety |
Does not exist
|
|
| zesty |
Does not exist
|
|