CVE-2017-11147
- Source
- https://cve.org/CVERecord?id=CVE-2017-11147
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-11147.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2017-11147
- Downstream
- Related
- Published
- 2017-07-10T14:29:00.697Z
- Modified
- 2026-04-11T15:15:18.595285Z
- Severity
-
- 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
In PHP before 5.6.30 and 7.x before 7.0.15, the PHAR archive handler could be used by attackers supplying malicious archive files to crash the PHP interpreter or potentially disclose information due to a buffer over-read in the pharparsepharfile function in ext/phar/phar.c.
- References
-
- http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=e5246580a85f031e1a3b8064edbaa55c1643a451
- http://php.net/ChangeLog-5.php
- http://php.net/ChangeLog-7.php
- http://www.securityfocus.com/bid/99607
- https://access.redhat.com/errata/RHSA-2018:1296
- https://security.netapp.com/advisory/ntap-20180112-0001/
- https://www.tenable.com/security/tns-2017-12
- https://bugs.php.net/bug.php?id=73773
- http://openwall.com/lists/oss-security/2017/07/10/6
Affected packages
Git / github.com/php/php-src
Affected ranges
- Type
- GIT
- Repo
- https://github.com/php/php-src
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedIntroducedFixedIntroducedFixed
- Database specific
{ "source": "CPE_FIELD", "extracted_events": [ { "introduced": "0" }, { "fixed": "5.6.30" }, { "introduced": "7.0.0" }, { "fixed": "7.0.15" }, { "introduced": "7.1.0" }, { "fixed": "7.1.1" } ], "cpe": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*" }
Affected versions
Other
POST_64BIT_BRANCH_MERGE
POST_AST_MERGE
POST_PHP7_NSAPI_REMOVAL
POST_PHP7_REMOVALS
POST_PHPNG_MERGE
PRE_64BIT_BRANCH_MERGE
PRE_AST_MERGE
PRE_PHP7_EREG_MYSQL_REMOVALS
PRE_PHP7_NSAPI_REMOVAL
PRE_PHP7_REMOVALS
php-5.*
php-5.6.30RC1
php-7.*
php-7.0.15RC1
php-7.1.1RC1
Database specific
source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-11147.json"
vanir_signatures
[
{
"target": {
"function": "_gd2GetHeader",
"file": "ext/gd/libgd/gd_gd2.c"
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"source": "https://github.com/php/php-src/commit/9abbc3cc6d0f448435ca38bef694f671bf7303d8",
"id": "CVE-2017-11147-12d1fca6",
"digest": {
"function_hash": "291942526429879441159894536430346133521",
"length": 2665.0
}
},
{
"target": {
"file": "ext/gd/libgd/gd_gd2.c"
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"source": "https://github.com/php/php-src/commit/9abbc3cc6d0f448435ca38bef694f671bf7303d8",
"id": "CVE-2017-11147-a887e78f",
"digest": {
"threshold": 0.9,
"line_hashes": [
"268808390959611610380382661363715926383",
"332457077737297600470842301867489262455",
"183820387990733455444215637150999073887",
"296117839669516092864788658433251533836"
]
}
}
]
vanir_signatures_modified
"2026-04-11T15:15:18Z"