Vulnerability Details : CVE-2017-11143
In PHP before 5.6.31, an invalid free in the WDDX deserialization of boolean parameters could be used by attackers able to inject XML for deserialization to crash the PHP interpreter, related to an invalid free for an empty boolean element in ext/wddx/wddx.c.
Threat overview for CVE-2017-11143
Top countries where our scanners detected CVE-2017-11143
Top open port discovered on systems with this issue
80
IPs affected by CVE-2017-11143 231,896
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2017-11143!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2017-11143
Probability of exploitation activity in the next 30 days: 1.19%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 83 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2017-11143
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST |
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2017-11143
-
Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.Assigned by: nvd@nist.gov (Primary)
-
The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-11143
-
https://www.tenable.com/security/tns-2017-12
[R1] SecurityCenter 5.3.2, 5.4.0, 5.4.2, 5.4.5, 5.5.0, and 5.5.1 Fixes Multiple Vulnerabilities - Security Advisory | TenableĀ®
-
http://openwall.com/lists/oss-security/2017/07/10/6
oss-security - Re: CVE IDs needed for PHP vulnerabilites (affects 5.6.30 and 7.0.20)Mailing List;Patch;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:1296
RHSA-2018:1296 - Security Advisory - Red Hat Customer Portal
-
https://bugs.php.net/bug.php?id=74145
PHP :: Sec Bug #74145 :: wddx parsing empty boolean tag leads to SIGSEGVIssue Tracking;Patch;Vendor Advisory
-
http://www.securityfocus.com/bid/99553
PHP CVE-2017-11143 Denial of Service Vulnerability
-
https://security.netapp.com/advisory/ntap-20180112-0001/
September 2017 PHP Vulnerabilities in NetApp Products | NetApp Product Security
-
https://www.debian.org/security/2018/dsa-4081
Debian -- Security Information -- DSA-4081-1 php5
-
http://php.net/ChangeLog-5.php
PHP: PHP 5 ChangeLogRelease Notes;Vendor Advisory
-
https://git.php.net/?p=php-src.git;a=commit;h=2aae60461c2ff7b7fbcdd194c789ac841d0747d7
208.43.231.11 Git - php-src.git/commitIssue Tracking;Patch;Third Party Advisory
Products affected by CVE-2017-11143
- cpe:2.3:a:php:php:*:*:*:*:*:*:*:*