CVE-2017-7189
- Source
- https://cve.org/CVERecord?id=CVE-2017-7189
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-7189.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2017-7189
- Downstream
- Published
- 2019-07-10T15:15:11.163Z
- Modified
- 2026-04-11T04:59:51.171136Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
main/streams/xp_socket.c in PHP 7.x before 2017-03-07 misparses fsockopen calls, such as by interpreting fsockopen('127.0.0.1:80', 443) as if the address/port were 127.0.0.1:80:443, which is later truncated to 127.0.0.1:80. This behavior has a security risk if the explicitly provided port number (i.e., 443 in this example) is hardcoded into an application as a security policy, but the hostname argument (i.e., 127.0.0.1:80 in this example) is obtained from untrusted input.
- References
Affected packages
Git / github.com/php/php-src
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-7189.json"
vanir_signatures_modified
"2026-04-11T04:59:51Z"
vanir_signatures
[
{
"digest": {
"length": 813.0,
"function_hash": "25954418537993354906810679751706881010"
},
"deprecated": false,
"signature_type": "Function",
"id": "CVE-2017-7189-0367c050",
"signature_version": "v1",
"source": "https://github.com/php/php-src/commit/bab0b99f376dac9170ac81382a5ed526938d595a",
"target": {
"function": "parse_ip_address_ex",
"file": "main/streams/xp_socket.c"
}
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"96925839583532923982964231240844440937",
"58623572596228789776196651253671782112",
"135633014013098575755473646959568394835",
"166067641592944639392872254756214638324",
"100267658189387310072607059763441990347",
"327358159792768892130981194478376054044",
"851378121682662920468238894861988364",
"314577343906733442472633894765041464525",
"290488536648167433946729631960172792882",
"304277819284939497559048954425926759404",
"45361655755660409058900151378956781579",
"98380177259299385082119401059192850571",
"140857132125336533406313044813972857154",
"138930420433345886720982775165105305311",
"129429535438291653056969661213468792129",
"150705046247528685625465905092658606036",
"98721154362060048170613768024767904140",
"186325265072741337767185550146872526890",
"258922995148387736732108437600871178305",
"295665630112481776732720450406535204466",
"177770387157668607946762550750247977680",
"215979603786398871912267452495927398013",
"58699980153549850152597795615477593300",
"179313615582318253927815754520587468813",
"76616369875822220412912373158154491791",
"42934769745497914088808172732736984029",
"45502358789397159925983817023527663213",
"279942236296071536843151426932711459991",
"76307502023617010035481115789412140546",
"6548854012503520523054358386376574142",
"126808480897197276431818706293417770633"
]
},
"deprecated": false,
"signature_type": "Line",
"id": "CVE-2017-7189-dd7e2968",
"signature_version": "v1",
"source": "https://github.com/php/php-src/commit/bab0b99f376dac9170ac81382a5ed526938d595a",
"target": {
"file": "main/streams/xp_socket.c"
}
}
]