A vulnerability was found in php-pear where if a malicious server responded to a pear
Find out more about CVE-2017-5630 from the MITRE CVE dictionary dictionary and NIST NVD.
Since pear's purpose is to download libraries for inclusion in an application, any use of pear install or pear download implicitly trusts the server. This vulnerability does not significantly extend the trust already given to pear and to servers used with it.
NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.
| CVSS3 Base Score | 3.4 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N |
| Attack Vector | Network |
| Attack Complexity | High |
| Privileges Required | None |
| User Interaction | Required |
| Scope | Changed |
| Confidentiality | None |
| Integrity Impact | Low |
| Availability Impact | None |
| Platform | Package | State |
|---|---|---|
| Red Hat Software Collections for Red Hat Enterprise Linux | rh-php56-php-pear | Will not fix |
| Red Hat Software Collections for Red Hat Enterprise Linux | rh-php70-php-pear | Will not fix |
| Red Hat Enterprise Linux 7 | php-pear | Will not fix |
| Red Hat Enterprise Linux 6 | php-pear | Will not fix |
| Red Hat Enterprise Linux 5 | php-pear | Will not fix |
This vulnerability only allows files in the current directory to be overwritten, so using `pear download` in a temporary directory effectively mitigates the risk of a dangerous file overwrite occurring.
Vulmon