Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
NA

CVE-2017-11146

Published: 10/07/2017 Updated: 07/11/2023

Vulnerability Summary

Tenable has released updates for SecurityCenter 5.3.2, 5.4.0, 5.4.2, 5.4.5, 5.5.0, and 5.5.1 to bring the version of PHP included with them to 5.6.31. PHP 5.6.31 addresses multiple vulnerabilities: CVE-2017-11142: In PHP prior to 5.6.31, 7.x prior to 7.0.17, and 7.1.x prior to 7.1.3, remote attackers could cause a CPU consumption denial of service attack by injecting long form variables, related to main/php_variables.c. CVE-2017-11143: In PHP prior to 5.6.31, an invalid free in the WDDX deserialization of boolean parameters could be used by attackers able to inject XML for deserialization to crash the PHP interpreter, related to an invalid free for an empty boolean element in ext/wddx/wddx.c. CVE-2017-11144: In PHP prior to 5.6.31, 7.x prior to 7.0.21, and 7.1.x prior to 7.1.7, the openssl extension PEM sealing code did not check the return value of the OpenSSL sealing function, which could lead to a crash of the PHP interpreter, related to an interpretation conflict for a negative number in ext/openssl/openssl.c, and an OpenSSL documentation omission. CVE-2017-11145: In PHP prior to 5.6.31, 7.x prior to 7.0.21, and 7.1.x prior to 7.1.7, lack of a bounds check in the date extension's timelib_meridian parsing code could be used by attackers able to supply date strings to leak information from the interpreter, related to an ext/date/lib/parse_date.c out-of-bounds read affecting the php_parse_date function. CVE-2017-11146: In PHP up to and including 5.6.31, 7.x up to and including 7.0.21, and 7.1.x up to and including 7.1.7, lack of bounds checks in the date extension's timelib_meridian parsing code could be used by attackers able to supply date strings to leak information from the interpreter, related to ext/date/lib/parse_date.c out-of-bounds reads affecting the php_parse_date function. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-11145. CVE-2017-11147: In PHP prior to 5.6.30 and 7.x prior to 7.0.15, the PHAR archive handler could be used by attackers supplying malicious archive files to crash the PHP interpreter or potentially disclose information due to a buffer over-read in the phar_parse_pharfile function in ext/phar/phar.c. CVE-2017-7890: PHP 'gd_gif_in.c' Memory Corruption Vulnerability Please refer to the PHP 5.6.31 release notes for more information

Vulnerability Trend

Vendor Advisories

Tenable Security Advisories: [R1] SecurityCenter 5.3.2, 5.4.0, 5.4.2, 5.4.5, 5.5.0, and 5.5.1 Fixes Multiple Vulnerabilities
Tenable has released updates for SecurityCenter 532, 540, 542, 545, 550, and 551 to bring the version of PHP included with them to 5631 PHP 5631 addresses multiple vulnerabilities: CVE-2017-11142: In PHP before 5631, 7x before 7017, and 71x before 713, remote attackers could cause a CPU consumption denial of service atta ...

References

https://nvd.nist.govhttps://www.tenable.com/security/tns-2017-12
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-4651CVE-2024-34255elevation of privilegeCVE-2024-25529CVE-2024-4671NULL pointer dereferenceCVE-2024-25527template injectionCVE-2008-0166
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook