php7 (SUSE:Linux Enterprise Software Development Kit 12 SP2) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the SUSE:Linux Enterprise Software Development Kit 12 SP2 package php7, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (43)
CVE-2018-7584 — CVSS 9.8 (critical): In PHP through 5.6.33, 7.0.x before 7.0.28, 7.1.x through 7.1.14, and 7.2.x through 7.2.2, there is a stack-based buffer under-read while…
CVE-2016-10160 — CVSS 9.8 (critical): Off-by-one error in the phar_parse_pharfile function in ext/phar/phar.c in PHP before 5.6.30 and 7.0.x before 7.0.15 allows remote…
CVE-2016-10166 — CVSS 9.8 (critical): Integer underflow in the _gdContributionsAlloc function in gd_interpolation.c in the GD Graphics Library (aka libgd) before 2.2.4 allows…
CVE-2016-6294 — CVSS 9.8 (critical): The locale_accept_from_http function in ext/intl/locale/locale_methods.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9…
CVE-2016-7479 — CVSS 9.8 (critical): In all versions of PHP 7, during the unserialization process, resizing the 'properties' hash table of a serialized object may lead to…
CVE-2016-7480 — CVSS 9.8 (critical): The SplObjectStorage unserialize implementation in ext/spl/spl_observer.c in PHP before 7.0.12 does not verify that a key is an object…
CVE-2016-9137 — CVSS 9.8 (critical): Use-after-free vulnerability in the CURLFile implementation in ext/curl/curl_file.c in PHP before 5.6.27 and 7.x before 7.0.12 allows…
CVE-2016-9138 — CVSS 9.8 (critical): PHP through 5.6.27 and 7.x through 7.0.12 mishandles property modification during __wakeup processing, which allows remote attackers to…
CVE-2016-9935 — CVSS 9.8 (critical): The php_wddx_push_element function in ext/wddx/wddx.c in PHP before 5.6.29 and 7.x before 7.0.14 allows remote attackers to cause a denial…
CVE-2016-9936 — CVSS 9.8 (critical): The unserialize implementation in ext/standard/var.c in PHP 7.x before 7.0.14 allows remote attackers to cause a denial of service…
CVE-2017-12932 — CVSS 9.8 (critical): ext/standard/var_unserializer.re in PHP 7.0.x through 7.0.22 and 7.1.x through 7.1.8 is prone to a heap use after free while unserializing…
CVE-2017-12933 — CVSS 9.8 (critical): The finish_nested_data function in ext/standard/var_unserializer.re in PHP before 5.6.31, 7.0.x before 7.0.21, and 7.1.x before 7.1.7 is…
CVE-2017-5340 — CVSS 9.8 (critical): Zend/zend_hash.c in PHP before 7.0.15 and 7.1.x before 7.1.1 mishandles certain cases that require large array allocations, which allows…
CVE-2017-9224 — CVSS 9.8 (critical): An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack…
CVE-2017-9226 — CVSS 9.8 (critical): An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap…
CVE-2017-9227 — CVSS 9.8 (critical): An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack…
CVE-2017-9228 — CVSS 9.8 (critical): An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap…
CVE-2017-11147 — CVSS 9.1 (critical): In PHP before 5.6.30 and 7.x before 7.0.15, the PHAR archive handler could be used by attackers supplying malicious archive files to crash…
CVE-2016-5766 — CVSS 8.8 (high): Integer overflow in the _gd2GetHeader function in gd_gd2.c in the GD Graphics Library (aka libgd) before 2.2.3, as used in PHP before…
CVE-2016-5385 — CVSS 8.1 (high): PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from…
CVE-2017-11628 — CVSS 7.8 (high): In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, a stack-based buffer overflow in the zend_ini_do_op() function in…
CVE-2016-10168 — CVSS 7.8 (high): Integer overflow in gd_io.c in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to have unspecified impact via…
CVE-2017-11144 — CVSS 7.5 (high): In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, the openssl extension PEM sealing code did not check the return value of…
CVE-2017-11145 — CVSS 7.5 (high): In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, an error in the date extension's timelib_meridian parsing code could be…
CVE-2016-10158 — CVSS 7.5 (high): The exif_convert_any_to_int function in ext/exif/exif.c in PHP before 5.6.30, 7.0.x before 7.0.15, and 7.1.x before 7.1.1 allows remote…
CVE-2016-10159 — CVSS 7.5 (high): Integer overflow in the phar_parse_pharfile function in ext/phar/phar.c in PHP before 5.6.30 and 7.0.x before 7.0.15 allows remote…
CVE-2016-10161 — CVSS 7.5 (high): The object_common1 function in ext/standard/var_unserializer.c in PHP before 5.6.30, 7.0.x before 7.0.15, and 7.1.x before 7.1.1 allows…
CVE-2016-10162 — CVSS 7.5 (high): The php_wddx_pop_element function in ext/wddx/wddx.c in PHP 7.0.x before 7.0.15 and 7.1.x before 7.1.1 allows remote attackers to cause a…
CVE-2015-8994 — CVSS 7.5 (high): An issue was discovered in PHP 5.x and 7.x, when the configuration uses apache2handler/mod_php or php-fpm with OpCache enabled. With 5.x…
CVE-2016-9933 — CVSS 7.5 (high): Stack consumption vulnerability in the gdImageFillToBorder function in gd.c in the GD Graphics Library (aka libgd) before 2.2.2, as used in…
CVE-2016-9934 — CVSS 7.5 (high): ext/wddx/wddx.c in PHP before 5.6.28 and 7.x before 7.0.13 allows remote attackers to cause a denial of service (NULL pointer dereference)…
CVE-2017-9229 — CVSS 7.5 (high): An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A SIGSEGV…
CVE-2017-11142 — CVSS 7.5 (high): In PHP before 5.6.31, 7.x before 7.0.17, and 7.1.x before 7.1.3, remote attackers could cause a CPU consumption denial of service attack by…
CVE-2016-10397 — CVSS 7.5 (high): In PHP before 5.6.28 and 7.x before 7.0.13, incorrect handling of various URI components in the URL parser could be used by attackers to…
CVE-2016-7478 — CVSS 7.5 (high): Zend/zend_exceptions.c in PHP, possibly 5.x before 5.6.28 and 7.x before 7.0.13, allows remote attackers to cause a denial of service…
CVE-2017-12934 — CVSS 7.5 (high): ext/standard/var_unserializer.re in PHP 7.0.x before 7.0.21 and 7.1.x before 7.1.7 is prone to a heap use after free while unserializing…
CVE-2017-16642 — CVSS 7.5 (high): In PHP before 5.6.32, 7.x before 7.0.25, and 7.1.x before 7.1.11, an error in the date extension's timelib_meridian handling of 'front of'…
CVE-2017-6441 — CVSS 7.5 (high): The _zval_get_long_func_ex in Zend/zend_operators.c in PHP 7.1.2 allows attackers to cause a denial of service (NULL pointer dereference…
CVE-2017-7890 — CVSS 6.5 (medium): The GIF decoding function gdImageCreateFromGifCtx in gd_gif_in.c in the GD Graphics Library (aka libgd), as used in PHP before 5.6.31 and…
CVE-2018-5712 — CVSS 6.1 (medium): An issue was discovered in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1. There is Reflected XSS on…
CVE-2016-10167 — CVSS 5.5 (medium): The gdImageCreateFromGd2Ctx function in gd_gd2.c in the GD Graphics Library (aka libgd) before 2.2.4 allows remote attackers to cause a…
CVE-2018-5711 — CVSS 5.5 (medium): gd_gif_in.c in the GD Graphics Library (aka libgd), as used in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x…
CVE-2017-11146: Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation…