Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2017-5630

CWE-74CWE-7310 documents8 sources
Severity
7.5HIGH
EPSS
5.1%
top 10.15%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Pear PearPHP Pear
Timeline
PublishedFeb 1
Latest updateMay 13

Description

PECL in the download utility class in the Installer in PEAR Base System v1.10.1 does not validate file types and filenames after a redirect, which allows remote HTTP servers to overwrite files via crafted responses, as demonstrated by a .htaccess overwrite.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

Packagistpear/pear1.10.1
NVDphp/pear1.10.1

🔴Vulnerability Details

4
OSV
PEAR core file overwrite vulnerability2022-05-13
GHSA
PEAR core file overwrite vulnerability2022-05-13
OSV
CVE-2017-5630: PECL in the download utility class in the Installer in PEAR Base System v12017-02-01
CVEList
CVE-2017-5630: PECL in the download utility class in the Installer in PEAR Base System v12017-02-01

💥Exploits & PoCs

1
Exploit-DB
PHP PEAR 1.10.1 - Arbitrary File Download2017-01-30

📋Vendor Advisories

2
Red Hat
php-pear: File overwrite by malicious server2017-01-26
Debian
CVE-2017-5630: php-pear - PECL in the download utility class in the Installer in PEAR Base System v1.10.1 ...2017

💬Community

2
Bugzilla
CVE-2017-5630 php-pear: File overwrite by malicious server2017-02-02
Bugzilla
CVE-2017-5630 php-pear: File types and filenames not validated after a redirect [fedora-all]2017-02-02
CVE-2017-5630 (HIGH CVSS 7.5) | PECL in the download utility class | cvebase.io