CVE-2017-11142
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2017-11142
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-11142.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2017-11142
- Downstream
- Related
- Published
- 2017-07-10T14:29:00Z
- Modified
- 2025-10-15T08:42:56.701699Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
In PHP before 5.6.31, 7.x before 7.0.17, and 7.1.x before 7.1.3, remote attackers could cause a CPU consumption denial of service attack by injecting long form variables, related to main/php_variables.c.
- References
-
- http://php.net/ChangeLog-5.php
- http://php.net/ChangeLog-7.php
- https://bugs.php.net/bug.php?id=73807
- https://github.com/php/php-src/commit/0f8cf3b8497dc45c010c44ed9e96518e11e19fc3
- https://github.com/php/php-src/commit/a15bffd105ac28fd0dd9b596632dbf035238fda3
- https://security.netapp.com/advisory/ntap-20180112-0001/
- https://www.debian.org/security/2018/dsa-4081
- http://openwall.com/lists/oss-security/2017/07/10/6
- http://www.securityfocus.com/bid/99601
- https://www.tenable.com/security/tns-2017-12
Affected packages
Git / github.com/php/php-src
Affected ranges
- Type
- GIT
- Repo
- https://github.com/php/php-src
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixed
Affected versions
Other
NEWS
NEWS-cvs2svn
POST_64BIT_BRANCH_MERGE
POST_AST_MERGE
POST_NATIVE_TLS_MERGE
POST_PHP7_EREG_MYSQL_REMOVALS
POST_PHP7_NSAPI_REMOVAL
POST_PHP7_REMOVALS
POST_PHPNG_MERGE
PRE_64BIT_BRANCH_MERGE
PRE_AST_MERGE
PRE_NATIVE_TLS_MERGE
PRE_PHP7_EREG_MYSQL_REMOVALS
PRE_PHP7_NSAPI_REMOVAL
PRE_PHP7_REMOVALS
PRE_PHPNG_MERGE
php-5.*
php-5.3.23RC1
php-5.3.29
php-5.3.29RC1
php-5.4.30RC1
php-5.4.32RC1
php-5.4.4RC2
php-5.5.24RC1
php-5.6.18RC1
php-5.6.19RC1
php-5.6.22RC1
php-5.6.23RC1
php-5.6.24RC1
php-7.*
php-7.0.11RC1
php-7.0.12RC1
php-7.0.13RC1
php-7.0.3RC1
php-7.0.4RC1
php-7.0.5RC1
php-7.0.7RC1
php-7.0.8RC1
php-7.0.9RC1
Database specific
vanir_signatures
[
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"28348859141919998958408428016140039178",
"225147515465150737396624025795257656515",
"99215475884534245857845970963603820764",
"226237275122163237624607682439648773250",
"189481786908456659852663052726213375151",
"71440119112142052417855658924148789731",
"79239961292965705867728102976904745787",
"179752734232827542878690393750686316921",
"188099424091631210252010101265593888658",
"165653614139057169206629735467583924984",
"84232813021568908273938340225130101375",
"312353893467083796724105364500930145621",
"281783171226972528726164776680967964705",
"199214583038427199935155611954785827853",
"36078684777747997871256423870976517862",
"79799886385633628631311795350256399145",
"27496147415769945443176438653116874985",
"9407418922154005529248365188705880632",
"337492892336153157729568346941893080080",
"124107419404495172029185006063264421791",
"30400752898628960156132606725383971269",
"61045214515877697343660386946775700209"
]
},
"source": "https://github.com/php/php-src/commit/0f8cf3b8497dc45c010c44ed9e96518e11e19fc3",
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2017-11142-13aba9d3",
"signature_type": "Line",
"target": {
"file": "main/php_variables.c"
}
},
{
"digest": {
"length": 616.0,
"function_hash": "249037938719514043556291932292439707537"
},
"source": "https://github.com/php/php-src/commit/0f8cf3b8497dc45c010c44ed9e96518e11e19fc3",
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2017-11142-2de5fb24",
"signature_type": "Function",
"target": {
"file": "main/php_variables.c",
"function": "add_post_vars"
}
},
{
"digest": {
"length": 853.0,
"function_hash": "277576675635304849580747893822124977125"
},
"source": "https://github.com/php/php-src/commit/a15bffd105ac28fd0dd9b596632dbf035238fda3",
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2017-11142-76953b11",
"signature_type": "Function",
"target": {
"file": "main/php_variables.c",
"function": "add_post_var"
}
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"28348859141919998958408428016140039178",
"225147515465150737396624025795257656515",
"158746745967828964393242271178550117037",
"10799305647557545806155708165410964944",
"2817076162957742201950559572548708186",
"29400110818513497006900147501988231318",
"241878772281113059536847242441203549897",
"108155168340536874108326348465594425361",
"188099424091631210252010101265593888658",
"165653614139057169206629735467583924984",
"84232813021568908273938340225130101375",
"312353893467083796724105364500930145621",
"281783171226972528726164776680967964705",
"199214583038427199935155611954785827853",
"315082849080393381965340538544456385542",
"79799886385633628631311795350256399145",
"27496147415769945443176438653116874985",
"35517809090076032917703698993791410016"
]
},
"source": "https://github.com/php/php-src/commit/a15bffd105ac28fd0dd9b596632dbf035238fda3",
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2017-11142-a25a26a1",
"signature_type": "Line",
"target": {
"file": "main/php_variables.c"
}
},
{
"digest": {
"length": 898.0,
"function_hash": "148892477929283884465835532575075293985"
},
"source": "https://github.com/php/php-src/commit/0f8cf3b8497dc45c010c44ed9e96518e11e19fc3",
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2017-11142-d70f2805",
"signature_type": "Function",
"target": {
"file": "main/php_variables.c",
"function": "add_post_var"
}
}
]