PHP — популярный язык сценариев общего назначения, особенно подходящий для веб-разработки.
Релизный цикл, информация об уязвимостях
График релизов
Количество 3 889
CVE-2017-7963
The GNU Multiple Precision Arithmetic Library (GMP) interfaces for PHP through 7.1.4 allow attackers to cause a denial of service (memory consumption and application crash) via operations on long strings. NOTE: the vendor disputes this, stating "There is no security issue here, because GMP safely aborts in case of an OOM condition. The only attack vector here is denial of service. However, if you allow attacker-controlled, unbounded allocations you have a DoS vector regardless of GMP's OOM behavior.
BDU:2018-00008
Уязвимость функции GIF-декодирования gdImageCreateFromGifCtx (gd_gif_in.c) библиотеки для создания и работы с программируемой графикой libgd2, позволяющая нарушителю нарушить конфиденциальность информации
openSUSE-SU-2017:0982-1
Security update for php7
CVE-2017-6441
The _zval_get_long_func_ex in Zend/zend_operators.c in PHP 7.1.2 allows attackers to cause a denial of service (NULL pointer dereference and application crash) via crafted use of "declare(ticks=" in a PHP script. NOTE: the vendor disputes the classification of this as a vulnerability, stating "Please do not request CVEs for ordinary bugs. CVEs are relevant for security issues only.
CVE-2017-6441
The _zval_get_long_func_ex in Zend/zend_operators.c in PHP 7.1.2 allow ...
CVE-2017-6441
The _zval_get_long_func_ex in Zend/zend_operators.c in PHP 7.1.2 allows attackers to cause a denial of service (NULL pointer dereference and application crash) via crafted use of "declare(ticks=" in a PHP script. NOTE: the vendor disputes the classification of this as a vulnerability, stating "Please do not request CVEs for ordinary bugs. CVEs are relevant for security issues only.
SUSE-SU-2017:0899-1
Security update for php7
openSUSE-SU-2017:0850-1
Security update for php5
CVE-2017-7272
PHP through 7.1.11 enables potential SSRF in applications that accept an fsockopen or pfsockopen hostname argument with an expectation that the port number is constrained. Because a :port syntax is recognized, fsockopen will use the port number that is specified in the hostname argument, instead of the port number in the second argument of the function.
CVE-2017-7272
PHP through 7.1.11 enables potential SSRF in applications that accept ...
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано 1 | |
|---|---|---|---|---|
 | CVE-2017-7963 The GNU Multiple Precision Arithmetic Library (GMP) interfaces for PHP through 7.1.4 allow attackers to cause a denial of service (memory consumption and application crash) via operations on long strings. NOTE: the vendor disputes this, stating "There is no security issue here, because GMP safely aborts in case of an OOM condition. The only attack vector here is denial of service. However, if you allow attacker-controlled, unbounded allocations you have a DoS vector regardless of GMP's OOM behavior. | CVSS3: 7.5 | 2% Низкий | почти 9 лет назад |
 | BDU:2018-00008 Уязвимость функции GIF-декодирования gdImageCreateFromGifCtx (gd_gif_in.c) библиотеки для создания и работы с программируемой графикой libgd2, позволяющая нарушителю нарушить конфиденциальность информации | CVSS3: 6.5 | 25% Средний | почти 9 лет назад |
 | openSUSE-SU-2017:0982-1 Security update for php7 | 2% Низкий | почти 9 лет назад | |
 | CVE-2017-6441 The _zval_get_long_func_ex in Zend/zend_operators.c in PHP 7.1.2 allows attackers to cause a denial of service (NULL pointer dereference and application crash) via crafted use of "declare(ticks=" in a PHP script. NOTE: the vendor disputes the classification of this as a vulnerability, stating "Please do not request CVEs for ordinary bugs. CVEs are relevant for security issues only. | CVSS3: 7.5 | 0% Низкий | около 9 лет назад |
| CVE-2017-6441 The _zval_get_long_func_ex in Zend/zend_operators.c in PHP 7.1.2 allow ... | CVSS3: 7.5 | 0% Низкий | около 9 лет назад |
| CVE-2017-6441 The _zval_get_long_func_ex in Zend/zend_operators.c in PHP 7.1.2 allows attackers to cause a denial of service (NULL pointer dereference and application crash) via crafted use of "declare(ticks=" in a PHP script. NOTE: the vendor disputes the classification of this as a vulnerability, stating "Please do not request CVEs for ordinary bugs. CVEs are relevant for security issues only. | CVSS3: 7.5 | 0% Низкий | около 9 лет назад |
| SUSE-SU-2017:0899-1 Security update for php7 | 2% Низкий | около 9 лет назад | |
| openSUSE-SU-2017:0850-1 Security update for php5 | 2% Низкий | около 9 лет назад | |
| CVE-2017-7272 PHP through 7.1.11 enables potential SSRF in applications that accept an fsockopen or pfsockopen hostname argument with an expectation that the port number is constrained. Because a :port syntax is recognized, fsockopen will use the port number that is specified in the hostname argument, instead of the port number in the second argument of the function. | CVSS3: 7.4 | 1% Низкий | около 9 лет назад |
| CVE-2017-7272 PHP through 7.1.11 enables potential SSRF in applications that accept ... | CVSS3: 7.4 | 1% Низкий | около 9 лет назад |
Уязвимостей на страницу