A type confusion vulnerability in the merge_param() function of php_http_params.c in PHP's pecl-http extension 3.1.0beta2 (PHP 7) and earlier as well as 2.6.0beta2 (PHP 5) and earlier allows attackers to crash PHP and possibly execute arbitrary code via crafted HTTP requests.
2019-09-06T19:15:11.387
2024-11-21T02:57:55.110
Modified
CVSSv3.1: 9.8 (CRITICAL)
AV:N/AC:L/Au:N/C:P/I:P/A:P
10.0
6.4
| Type | Vendor | Product | Version/Range | Vulnerable? |
|---|---|---|---|---|
| Application | php | ext-http | ≤ 2.5.6 | Yes |
| Application | php | ext-http | ≤ 3.0.1 | Yes |
| Application | php | ext-http | 2.6.0 | Yes |
| Application | php | ext-http | 2.6.0 | Yes |
| Application | php | ext-http | 2.6.0 | Yes |
| Application | php | ext-http | 2.6.0 | Yes |
| Application | php | ext-http | 3.1.0 | Yes |
| Application | php | ext-http | 3.1.0 | Yes |
| Application | php | ext-http | 3.1.0 | Yes |
| Application | php | ext-http | 3.1.0 | Yes |