CVE Vulnerabilities

CVE-2016-7398

Incorrect Type Conversion or Cast

Published: Sep 06, 2019 | Modified: Sep 20, 2019
CVSS 3.x
9.8
CRITICAL
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
7.5 HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P
RedHat/V2
RedHat/V3
Ubuntu
MEDIUM

A type confusion vulnerability in the merge_param() function of php_http_params.c in PHPs pecl-http extension 3.1.0beta2 (PHP 7) and earlier as well as 2.6.0beta2 (PHP 5) and earlier allows attackers to crash PHP and possibly execute arbitrary code via crafted HTTP requests.

Weakness

The product does not correctly convert an object, resource, or structure from one type to a different type.

Affected Software

Name Vendor Start Version End Version
Ext-http Php * 2.5.6 (including)
Ext-http Php 3.0.0 (including) 3.0.1 (including)
Ext-http Php 2.6.0 (including) 2.6.0 (including)
Ext-http Php 2.6.0-beta1 (including) 2.6.0-beta1 (including)
Ext-http Php 2.6.0-beta2 (including) 2.6.0-beta2 (including)
Ext-http Php 2.6.0-rc1 (including) 2.6.0-rc1 (including)
Ext-http Php 3.1.0 (including) 3.1.0 (including)
Ext-http Php 3.1.0-beta1 (including) 3.1.0-beta1 (including)
Ext-http Php 3.1.0-beta2 (including) 3.1.0-beta2 (including)
Ext-http Php 3.1.0-rc1 (including) 3.1.0-rc1 (including)
Php-pecl-http Ubuntu disco *
Php-pecl-http Ubuntu esm-apps/xenial *
Php-pecl-http Ubuntu trusty *
Php-pecl-http Ubuntu upstream *
Php-pecl-http Ubuntu xenial *

References