CVE-2017-5630

HIGH

PHP Pear - Injection

Title source: rule

Description

PECL in the download utility class in the Installer in PEAR Base System v1.10.1 does not validate file types and filenames after a redirect, which allows remote HTTP servers to overwrite files via crafted responses, as demonstrated by a .htaccess overwrite.

Exploits (1)

exploitdb WORKING POC

by hyp3rlinx · textwebappsphp

https://www.exploit-db.com/exploits/41185

View Code ZIP pw:eip

References (3)

[Vendor Advisory] http://pear.php.net/bugs/bug.php?id=21171

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/95882

[Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/41185/

Scores

CVSS v3 7.5

EPSS 0.0512

EPSS Percentile 89.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

CWE

CWE-74

Status published

Products (2)

pear/pear 0Packagist

php/pear 1.10.1

Published Feb 01, 2017

Tracked Since Feb 18, 2026