CVE-2015-8617
published 2016-01-19CVE-2015-8617: Format string vulnerability in the zend_throw_or_error function in Zend/zend_execute_API.c in PHP 7.x before 7.0.1 allows remote attackers to execute arbitrary…
PriorityP272critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
23.87%
97.5th percentile
Format string vulnerability in the zend_throw_or_error function in Zend/zend_execute_API.c in PHP 7.x before 7.0.1 allows remote attackers to execute arbitrary code via format string specifiers in a string that is misused as a class name, leading to incorrect error handling.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| php | php | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability is triggered by passing format string specifiers (e.g., %n, %s, %x) as a class name in PHP 7.0.0. Monitor PHP error logs or application input for class name strings containing printf-style format specifiers. ↗
- →The vulnerable code path is in zend_throw_or_error() in Zend/zend_execute_API.c. The fix changes `zend_throw_error(exception_ce, message)` to `zend_throw_error(exception_ce, "%s", message)`. Verify patched PHP binaries contain this fix. ↗
- →Only PHP 7.0.0 is affected; PHP versions prior to 7.x and PHP 7.0.1+ are not vulnerable. Confirm PHP version in use via `php --version` or server headers. ↗
- →The crash occurs inside xbuf_format_converter() in main/spprintf.c when a %n format specifier is processed. Stack traces referencing this function during a PHP fatal error on class instantiation should be investigated. ↗
- ·Only PHP 7.0.0 is affected. All Red Hat Enterprise Linux packages (php on RHEL 5/6/7, php53, php54-php, php55-php, rh-php56-php) ship PHP versions prior to 7.x and are listed as Not Affected. ↗
- ·The vulnerability is limited to the ZEND_FETCH_CLASS_EXCEPTION code path within zend_throw_or_error; only class-not-found error handling in PHP 7.0.0 is exploitable. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cvfg-5hfc-wcq7: Format string vulnerability in the zend_throw_or_error function in Zend/zend_execute_API
ghsa_unreviewed·2022-05-17
CVE-2015-8617 [CRITICAL] CWE-134 GHSA-cvfg-5hfc-wcq7: Format string vulnerability in the zend_throw_or_error function in Zend/zend_execute_API
Format string vulnerability in the zend_throw_or_error function in Zend/zend_execute_API.c in PHP 7.x before 7.0.1 allows remote attackers to execute arbitrary code via format string specifiers in a string that is misused as a class name, leading to incorrect error handling.
Red Hat
php: Format string vulnerability in class name error message
vendor_redhat·2015-12-12·CVSS 9.8
CVE-2015-8617 [CRITICAL] CWE-134 php: Format string vulnerability in class name error message
php: Format string vulnerability in class name error message
Format string vulnerability in the zend_throw_or_error function in Zend/zend_execute_API.c in PHP 7.x before 7.0.1 allows remote attackers to execute arbitrary code via format string specifiers in a string that is misused as a class name, leading to incorrect error handling.
Package: php (Red Hat Enterprise Linux 5) - Not affected
Package: php53 (Red Hat Enterprise Linux 5) - Not affected
Package: php (Red Hat Enterprise Linux 6) - Not affected
Package: php (Red Hat Enterprise Linux 7) - Not affected
Package: php (Red Hat OpenShift Enterprise 2) - Not affected
Package: php54-php (Red Hat Software Collections) - Not affected
Package: php55-php (Red Hat Software Collections) - Not affected
Package: rh-php56-php (Red Hat So
No detection rules found.
http://php.net/ChangeLog-7.phphttp://www.securitytracker.com/id/1034543https://bugs.php.net/bug.php?id=71105https://github.com/php/php-src/commit/b101a6bbd4f2181c360bd38e7683df4a03cba83ehttp://php.net/ChangeLog-7.phphttp://www.securitytracker.com/id/1034543https://bugs.php.net/bug.php?id=71105https://github.com/php/php-src/commit/b101a6bbd4f2181c360bd38e7683df4a03cba83e
2016-01-19
Published