Risk | Low |
Patch available | YES |
Number of vulnerabilities | 7 |
CVE-ID | CVE-2018-14883 CVE-2018-14851 |
CWE-ID | CWE-401 CWE-122 CWE-190 CWE-191 CWE-400 CWE-388 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
PHP Universal components / Libraries / Scripting languages |
Vendor | PHP Group |
Security Bulletin
This security bulletin contains information about 7 vulnerabilities.
EUVDB-ID: #VU13914
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information or cause DoS condition on the target system.
The weakness exists due to a memory leak when creating a large amount of objects without storing them. A remote attacker can execute the script as an HTTP request, cause memory usage to keep increasing and gain access to arbitrary data or cause the service to crash.
Update to version 7.2.8.
Vulnerable software versionsPHP: 7.2.0 - 7.2.7
External linkshttp://bugs.php.net/bug.php?id=76520
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU13915
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-14883
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to integer overflow when processing exif_read_data in any 32-bit system. A remote attacker can trigger heap-based buffer overflow in exif_thumbnail_extract of exif.c and cause the service to crash.
The vulnerability is addressed in the versions 5.6.37, 7.0.31, 7.1.20, 7.2.8.
Vulnerable software versionsPHP: 5.6.36 - 7.2.7
External linkshttp://bugs.php.net/bug.php?id=76423
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU13916
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-14851
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to heap-based buffer overflow (READ of size 48) while reading exif data. A remote attacker can trigger memory corruption and cause the service to crash.
The vulnerability is addressed in the versions 5.6.37, 7.0.31, 7.1.20, 7.2.8.
Vulnerable software versionsPHP: 5.6.36 - 7.2.7
External linkshttp://bugs.php.net/bug.php?id=76557
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU13917
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-191 - Integer underflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to integer underflow when unserializing a specially crafted malformed GMP. A remote attacker can segmentation fault and cause the service to crash.
The vulnerability is addressed in the versions 7.1.20, 7.2.8.
Vulnerable software versionsPHP: 7.1.19 - 7.2.7
External linkshttp://bugs.php.net/bug.php?id=74670
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU13918
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to Integer overflow when mb_strimwidth returns an empty string for $width > 2147483647. A remote attacker can trigger resource exhaustion in mb_strimwidthc and cause the service to crash.
The vulnerability is addressed in the versions 7.1.20, 7.2.8.
Vulnerable software versionsPHP: 7.1.19 - 7.2.7
External linkshttp://bugs.php.net/bug.php?id=76532
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU13919
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-388 - Error Handling
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to a flaw when throwing exception in error handler. A remote attacker can cause the service to crash.
The vulnerability is addressed in the versions 7.1.20, 7.2.8.
Vulnerable software versionsPHP: 7.1.19 - 7.2.7
External linkshttp://bugs.php.net/bug.php?id=76536
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU13920
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-388 - Error Handling
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to a fatal 'Illegal string offset' error when using array assignment on a string reference. A remote attacker can use an error handler that converts errors to exceptions and cause the service to hang.
The vulnerability is addressed in the versions 7.1.20, 7.2.8.
Vulnerable software versionsPHP: 7.1.19 - 7.2.7
External linkshttp://bugs.php.net/bug.php?id=76534
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.