Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2017-5630

Опубликовано: 26 янв. 2017
Источник: redhat
CVSS3: 3.4
EPSS Низкий

Описание

PECL in the download utility class in the Installer in PEAR Base System v1.10.1 does not validate file types and filenames after a redirect, which allows remote HTTP servers to overwrite files via crafted responses, as demonstrated by a .htaccess overwrite.

A vulnerability was found in php-pear where if a malicious server responded to a pear

Отчет

Since pear's purpose is to download libraries for inclusion in an application, any use of pear install or pear download implicitly trusts the server. This vulnerability does not significantly extend the trust already given to pear and to servers used with it.

Меры по смягчению последствий

This vulnerability only allows files in the current directory to be overwritten, so using pear download in a temporary directory effectively mitigates the risk of a dangerous file overwrite occurring.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 5php-pearWill not fix
Red Hat Enterprise Linux 6php-pearWill not fix
Red Hat Enterprise Linux 7php-pearWill not fix
Red Hat Software Collectionsrh-php56-php-pearWill not fix
Red Hat Software Collectionsrh-php70-php-pearWill not fix

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-73
https://bugzilla.redhat.com/show_bug.cgi?id=1418771php-pear: File overwrite by malicious server

EPSS

Процентиль: 91%
0.0754
Низкий

3.4 Low

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2017-5630

CVSS3: 7.5
ubuntu
больше 8 лет назад

PECL in the download utility class in the Installer in PEAR Base System v1.10.1 does not validate file types and filenames after a redirect, which allows remote HTTP servers to overwrite files via crafted responses, as demonstrated by a .htaccess overwrite.

nvd логотип

CVE-2017-5630

CVSS3: 7.5
nvd
больше 8 лет назад

PECL in the download utility class in the Installer in PEAR Base System v1.10.1 does not validate file types and filenames after a redirect, which allows remote HTTP servers to overwrite files via crafted responses, as demonstrated by a .htaccess overwrite.

debian логотип

CVE-2017-5630

CVSS3: 7.5
debian
больше 8 лет назад

PECL in the download utility class in the Installer in PEAR Base Syste ...

github логотип

GHSA-xxv8-pv43-57x5

CVSS3: 7.5
github
около 3 лет назад

PEAR core file overwrite vulnerability

fstec логотип

BDU:2023-01653

CVSS3: 7.5
fstec
больше 8 лет назад

Уязвимость библиотеки классов PHP PEAR, связанная с недостаточной нейтрализацией специальных элементов в запросе, позволяющая нарушителю оказать воздействие на целостность данных

EPSS

Процентиль: 91%
0.0754
Низкий

3.4 Low

CVSS3