Main Vulnerability Database SB2017063014

SB2017063014 - SUSE Linux update for php

Published: June 30, 2017

Security Bulletin ID SB2017063014

Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Server-side request forgery (CVE-ID: CVE-2017-7272)

The vulnerability allows a remote user to perform SSRF attack.

The weakness exists due to a flaw in the fsockopen() function. A remote attacker can use fsockopen hostname argument to cause the system to accept it with an expectation that the port number is constrained and perform server-sire request forgery attack.

Successful exploitation of this vulnerability may allow an attacker to perform SSRF attack to retrieve information for further attacks against vulnerable system by performing unauthorized connections to local resources, gain access to sensitive information and compromise vulnerable system.

Remediation

Install update from vendor's website.

References

https://lists.opensuse.org/opensuse-security-announce/2017-06/msg00039.html