A type confusion vulnerability in the merge_param() function of php_http_params.c in PHP's pecl-http extension 3.1.0beta2 (PHP 7) and earlier as well as 2.6.0beta2 (PHP 5) and earlier allows attackers to crash PHP and possibly execute arbitrary code via crafted HTTP requests.
References
Link | Resource |
---|---|
https://bugs.php.net/bug.php?id=73055 | Exploit Mailing List Vendor Advisory |
https://bugs.php.net/bug.php?id=73055&edit=1 | Exploit Vendor Advisory |
https://github.com/m6w6/ext-http/commit/17137d4ab1ce81a2cee0fae842340a344ef3da83 | Patch Third Party Advisory |
https://lists.debian.org/debian-lts-announce/2019/09/msg00022.html | |
https://bugs.php.net/bug.php?id=73055 | Exploit Mailing List Vendor Advisory |
https://bugs.php.net/bug.php?id=73055&edit=1 | Exploit Vendor Advisory |
https://github.com/m6w6/ext-http/commit/17137d4ab1ce81a2cee0fae842340a344ef3da83 | Patch Third Party Advisory |
https://lists.debian.org/debian-lts-announce/2019/09/msg00022.html |
Configurations
Configuration 1 (hide)
|
History
21 Nov 2024, 02:57
Type | Values Removed | Values Added |
---|---|---|
References | () https://bugs.php.net/bug.php?id=73055 - Exploit, Mailing List, Vendor Advisory | |
References | () https://bugs.php.net/bug.php?id=73055&edit=1 - Exploit, Vendor Advisory | |
References | () https://github.com/m6w6/ext-http/commit/17137d4ab1ce81a2cee0fae842340a344ef3da83 - Patch, Third Party Advisory | |
References | () https://lists.debian.org/debian-lts-announce/2019/09/msg00022.html - |
Information
Published : 2019-09-06 19:15
Updated : 2024-11-21 02:57
NVD link : CVE-2016-7398
Mitre link : CVE-2016-7398
CVE.ORG link : CVE-2016-7398
JSON object : View
Products Affected
php
- ext-http
CWE
CWE-704
Incorrect Type Conversion or Cast