CVE-2018-15132

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2018-15132
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-15132.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2018-15132
Published
2018-08-07T15:29:00.873Z
Modified
2026-04-11T12:27:38.973579Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

An issue was discovered in ext/standard/linkwin32.c in PHP before 5.6.37, 7.0.x before 7.0.31, 7.1.x before 7.1.20, and 7.2.x before 7.2.8. The linkinfo function on Windows doesn't implement the openbasedir check. This could be abused to find files on paths outside of the allowed directories.

References

Affected packages

Git / github.com/php/php-src

Affected ranges

Type
GIT
Repo
https://github.com/php/php-src
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
ea179bc44506ae1a4d5bb90502e962f43a902071
Introduced
60fffd296abce5fc071f3c173c25a2696cf683c6
Fixed
36d3d6c97c7d38a4d21438b5efa20f0b309518dd
Introduced
0221e9f827632942225586687a33cfd554860d5e
Fixed
1ceec3e87fa898ae09eb2d67353713f5bc0202bc
Introduced
8148cbb78841c8ec0759c0836e7f35dec799d300
Fixed
e32dc9aab87e888eefa7461dd71023d8274bb82d
Fixed
f151e048ed27f6f4eef729f3310d053ab5da71d4
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "5.6.37"
        },
        {
            "introduced": "7.0.0"
        },
        {
            "fixed": "7.0.31"
        },
        {
            "introduced": "7.1.0"
        },
        {
            "fixed": "7.1.20"
        },
        {
            "introduced": "7.2.0"
        },
        {
            "fixed": "7.2.8"
        }
    ]
}

Affected versions

Other
POST_64BIT_BRANCH_MERGE
POST_AST_MERGE
POST_PHP7_NSAPI_REMOVAL
POST_PHP7_REMOVALS
POST_PHPNG_MERGE
PRE_64BIT_BRANCH_MERGE
PRE_AST_MERGE
PRE_PHP7_EREG_MYSQL_REMOVALS
PRE_PHP7_NSAPI_REMOVAL
PRE_PHP7_REMOVALS

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-15132.json"
vanir_signatures_modified 
"2026-04-11T12:27:38Z"
vanir_signatures 
[
    {
        "signature_version": "v1",
        "signature_type": "Function",
        "source": "https://github.com/php/php-src/commit/f151e048ed27f6f4eef729f3310d053ab5da71d4",
        "digest": {
            "function_hash": "220839560800956806208306563125284300441",
            "length": 336.0
        },
        "id": "CVE-2018-15132-168c6b48",
        "deprecated": false,
        "target": {
            "file": "ext/standard/link_win32.c",
            "function": "PHP_FUNCTION"
        }
    },
    {
        "signature_version": "v1",
        "signature_type": "Line",
        "source": "https://github.com/php/php-src/commit/f151e048ed27f6f4eef729f3310d053ab5da71d4",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "212981070074641104509450091836034142668",
                "88395583671409793582864696691747015255",
                "135003533747648975021546284778785516302",
                "35499557418267422634095220243727042900",
                "117851673981305499478844129398245467257",
                "305333203988229800397156101482248605558",
                "81910444167263063639751966488804618110",
                "74540981037737713416730411259175941424",
                "40995403751221392183520592881069357352",
                "6280604222098253175767719674684668033",
                "301255860765288804387653980432627650299",
                "288880281421390955004434485443976198059"
            ]
        },
        "id": "CVE-2018-15132-dcccf7e0",
        "deprecated": false,
        "target": {
            "file": "ext/standard/link_win32.c"
        }
    }
]