First published: Fri Sep 06 2019(Updated: )
A type confusion vulnerability in the merge_param() function of php_http_params.c in PHP's pecl-http extension 3.1.0beta2 (PHP 7) and earlier as well as 2.6.0beta2 (PHP 5) and earlier allows attackers to crash PHP and possibly execute arbitrary code via crafted HTTP requests.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
PECL HTTP | <=2.5.6 | |
PECL HTTP | >=3.0.0<=3.0.1 | |
PECL HTTP | =2.6.0 | |
PECL HTTP | =2.6.0-beta1 | |
PECL HTTP | =2.6.0-beta2 | |
PECL HTTP | =2.6.0-rc1 | |
PECL HTTP | =3.1.0 | |
PECL HTTP | =3.1.0-beta1 | |
PECL HTTP | =3.1.0-beta2 | |
PECL HTTP | =3.1.0-rc1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2016-7398 is considered a high severity vulnerability due to its potential to allow arbitrary code execution and crashes in PHP.
To fix CVE-2016-7398, update to PECL HTTP extension version 3.1.0 or later for PHP 7, and version 2.5.6 or later for PHP 5.
CVE-2016-7398 affects PECL HTTP extension versions prior to 3.1.0 for PHP 7 and versions prior to 2.5.6 for PHP 5.
Yes, CVE-2016-7398 can be exploited remotely through crafted HTTP requests.
Yes, CVE-2016-7398 has been patched in subsequent releases of the PECL HTTP extension.