CVE-2017-7272

Description

PHP through 7.1.3 enables potential SSRF in applications that accept an fsockopen hostname argument with an expectation that the port number is constrained. Because a :port syntax is recognized, fsockopen will use the port number that is specified in the hostname argument, instead of the port number in the second argument of the function.

Am I vulnerable?

The constraints below list the versions that this vulnerability is patched in, and versions that are unaffected. If a patch is ready but unrealeased, then it is pending.

Or, you can just let us figure it out for you! Appcanary continously monitor your installed packages, and tell you if any of them are vulnerable.

Sign up for monitoring

Affected package information

Release Package Patched in
upstream php7.0 7.0.18
php7.1 7.1.4

Unaffected

Release Package Reason
precise php5 ignored
php7.0 DNE
php7.1 DNE
precise/esm php5 ignored
php7.0 DNE
php7.1 DNE
trusty php5 ignored
php7.0 DNE
php7.1 DNE
vivid/ubuntu-core php5 DNE
php7.0 DNE
php7.1 DNE
vivid/stable-phone-overlay php5 DNE
php7.0 DNE
php7.1 DNE
xenial php5 DNE
php7.0 ignored
php7.1 DNE
yakkety php5 DNE
php7.0 ignored
php7.1 DNE
zesty php5 DNE
php7.0 ignored
php7.1 DNE
devel php5 DNE
php7.0 DNE
php7.1 not-affected

Needs Triage

Release Package Reason
upstream php5 needs-triage