CVE-2016-7398

A type confusion vulnerability in the merge_param() function of php_http_params.c in PHP's pecl-http extension 3.1.0beta2 (PHP 7) and earlier as well as 2.6.0beta2 (PHP 5) and earlier allows attackers to crash PHP and possibly execute arbitrary code via crafted HTTP requests.

CVSS v3 9.8 CRITICAL
CVSS v2.0 7.5 HIGH

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://bugs.php.net/bug.php?id=73055	Exploit Mailing List Vendor Advisory
https://bugs.php.net/bug.php?id=73055&edit=1	Exploit Vendor Advisory
https://github.com/m6w6/ext-http/commit/17137d4ab1ce81a2cee0fae842340a344ef3da83	Patch Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/09/msg00022.html

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:php:ext-http::::::::
	cpe:2.3:a:php:ext-http::::::::
	cpe:2.3:a:php:ext-http:2.6.0:-::::::
	cpe:2.3:a:php:ext-http:2.6.0:beta1::::::
	cpe:2.3:a:php:ext-http:2.6.0:beta2::::::
	cpe:2.3:a:php:ext-http:2.6.0:rc1::::::
	cpe:2.3:a:php:ext-http:3.1.0:::::::*
	cpe:2.3:a:php:ext-http:3.1.0:beta1::::::
	cpe:2.3:a:php:ext-http:3.1.0:beta2::::::
	cpe:2.3:a:php:ext-http:3.1.0:rc1::::::

History

No history.

Information

Published : 2019-09-06 19:15

Updated : 2024-02-28 17:08

NVD link : CVE-2016-7398

Mitre link : CVE-2016-7398

CVE.ORG link : CVE-2016-7398

JSON object : View

Products Affected

php

ext-http

CWE

CWE-704

Incorrect Type Conversion or Cast

{"id": "CVE-2016-7398", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2019-09-06T19:15:11.387", "references": [{"url": "https://bugs.php.net/bug.php?id=73055", "tags": ["Exploit", "Mailing List", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://bugs.php.net/bug.php?id=73055&edit=1", "tags": ["Exploit", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/m6w6/ext-http/commit/17137d4ab1ce81a2cee0fae842340a344ef3da83", "tags": ["Patch", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00022.html", "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-704"}]}], "descriptions": [{"lang": "en", "value": "A type confusion vulnerability in the merge_param() function of php_http_params.c in PHP's pecl-http extension 3.1.0beta2 (PHP 7) and earlier as well as 2.6.0beta2 (PHP 5) and earlier allows attackers to crash PHP and possibly execute arbitrary code via crafted HTTP requests."}, {"lang": "es", "value": "Una vulnerabilidad de confusi\u00f3n de tipo en la funci\u00f3n merge_param() del archivo php_http_params.c en la extensi\u00f3n pecl-http de PHP versi\u00f3n 3.1.0beta2 (PHP 7) y anteriores, as\u00ed como tambi\u00e9n versi\u00f3n 2.6.0beta2 (PHP 5) y anteriores, permite a atacantes bloquear PHP y posiblemente ejecutar c\u00f3digo arbitrario por medio de peticiones HTTP creadas."}], "lastModified": "2019-09-20T21:15:11.120", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:php:ext-http:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "14147AA2-88B6-4FB1-85D2-B5E6303A01E1", "versionEndIncluding": "2.5.6"}, {"criteria": "cpe:2.3:a:php:ext-http:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5F6F5342-02E9-47D8-9A78-C5500316CF32", "versionEndIncluding": "3.0.1", "versionStartIncluding": "3.0.0"}, {"criteria": "cpe:2.3:a:php:ext-http:2.6.0:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "002D0A5C-AC9C-4834-853F-E654007B6E9B"}, {"criteria": "cpe:2.3:a:php:ext-http:2.6.0:beta1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2553E007-B037-4864-8422-07E258479C66"}, {"criteria": "cpe:2.3:a:php:ext-http:2.6.0:beta2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "665FFBDD-7A2C-49C2-A773-93F4C359FE89"}, {"criteria": "cpe:2.3:a:php:ext-http:2.6.0:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6D58B96D-6D9B-47FB-AE57-D933F08B3C1B"}, {"criteria": "cpe:2.3:a:php:ext-http:3.1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EB488CE3-0E47-4A13-9B8A-841DEE172E32"}, {"criteria": "cpe:2.3:a:php:ext-http:3.1.0:beta1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D31B18B2-5326-489D-99A5-CFB9524CAB12"}, {"criteria": "cpe:2.3:a:php:ext-http:3.1.0:beta2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C15E183A-FFF4-4F72-8961-F8A7194B9E13"}, {"criteria": "cpe:2.3:a:php:ext-http:3.1.0:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "623E4BBF-D8E3-48F4-AC70-4AD4AD232BD5"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}