Main Vulnerability Database Vulnerabilities #VU40513

#VU40513 Format string error in PHP - CVE-2015-8617

Published: January 19, 2016 / Updated: August 9, 2020

Vulnerability identifier: #VU40513

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber

CVE-ID: CVE-2015-8617

CWE-ID: CWE-134

Exploitation vector: Remote access

Exploit availability: Public exploit is available

Vulnerable software:
PHP

Software vendor:
PHP Group

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Format string vulnerability in the zend_throw_or_error function in Zend/zend_execute_API.c in PHP 7.x before 7.0.1 allows remote attackers to execute arbitrary code via format string specifiers in a string that is misused as a class name, leading to incorrect error handling.

Remediation

Install update from vendor's website.

External links

http://php.net/ChangeLog-7.php
http://www.securitytracker.com/id/1034543
https://bugs.php.net/bug.php?id=71105
https://github.com/php/php-src/commit/b101a6bbd4f2181c360bd38e7683df4a03cba83e

#VU40513 Format string error in PHP - CVE-2015-8617

Description

Remediation

External links

Please verify you're human