Your submission was sent successfully! Close

CVE-2018-17082

Published: 16 September 2018

The Apache2 component in PHP before 5.6.38, 7.0.x before 7.0.32, 7.1.x before 7.1.22, and 7.2.x before 7.2.10 allows XSS via the body of a "Transfer-Encoding: chunked" request, because the bucket brigade is mishandled in the php_handler function in sapi/apache2handler/sapi_apache2.c.

Priority

Medium

CVSS 3 base score: 6.1

Status

Package Release Status
php5
Launchpad, Ubuntu, Debian
Upstream
Released (5.6.38)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr)
Released (5.5.9+dfsg-1ubuntu4.26)
Patches:
Upstream: https://github.com/php/php-src/commit/23b057742e3cf199612fa8050ae86cae675e214e
php7.0
Launchpad, Ubuntu, Debian
Upstream
Released (7.0.32)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus)
Released (7.0.32-0ubuntu0.16.04.1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

php7.2
Launchpad, Ubuntu, Debian
Upstream
Released (7.2.10)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (7.2.10-0ubuntu0.18.04.1)
Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist