{
  "id": "CVE-2017-7963",
  "sourceIdentifier": "cve@mitre.org",
  "published": "2017-04-19T15:59:00.287",
  "lastModified": "2023-11-07T02:50:18.287",
  "vulnStatus": "Modified",
  "descriptions": [
    {
      "lang": "en",
      "value": "The GNU Multiple Precision Arithmetic Library (GMP) interfaces for PHP through 7.1.4 allow attackers to cause a denial of service (memory consumption and application crash) via operations on long strings. NOTE: the vendor disputes this, stating \"There is no security issue here, because GMP safely aborts in case of an OOM condition. The only attack vector here is denial of service. However, if you allow attacker-controlled, unbounded allocations you have a DoS vector regardless of GMP's OOM behavior."
    },
    {
      "lang": "es",
      "value": "** DISPUTADA ** Las interfaces GNU Multiple Precision Arithmetic Library (GMP) para PHP hasta la versi\u00f3n 7.1.4 permiten a atacantes provocar una denegaci\u00f3n de servicio (consumo de memoria y ca\u00edda de aplicaci\u00f3n) a trav\u00e9s de operaciones en cadenas largas. NOTA: el proveedor se opone a esto, declarando: \"No hay ning\u00fan problema de seguridad aqu\u00ed, porque GMP aborta de forma segura en caso de una condici\u00f3n de OOM. El \u00fanico vector de ataque aqu\u00ed es la denegaci\u00f3n de servicio. Sin embargo, si permite asignaciones no limitadas controladas por el atacante, tiene un vector DoS independientemente del comportamiento OOM de GMP\"."
    }
  ],
  "metrics": {
    "cvssMetricV30": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "3.0",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "NONE",
          "userInteraction": "NONE",
          "scope": "UNCHANGED",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6
      }
    ],
    "cvssMetricV2": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "2.0",
          "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
          "accessVector": "NETWORK",
          "accessComplexity": "LOW",
          "authentication": "NONE",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 5.0
        },
        "baseSeverity": "MEDIUM",
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "acInsufInfo": true,
        "obtainAllPrivilege": false,
        "obtainUserPrivilege": false,
        "obtainOtherPrivilege": false,
        "userInteractionRequired": false
      }
    ]
  },
  "weaknesses": [
    {
      "source": "nvd@nist.gov",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-770"
        }
      ]
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "operator": "OR",
          "negate": false,
          "cpeMatch": [
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*",
              "versionEndIncluding": "7.1.4",
              "matchCriteriaId": "C695FB97-098F-48B5-90E9-79D3A626263A"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://bugs.php.net/bug.php?id=74308",
      "source": "cve@mitre.org",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ]
    }
  ]
}