VDB
CVE-2017-12933
CVE-2017-12933
PUBLISHED
The finish_nested_data function in ext/standard/var_unserializer.re in PHP before 5.6.31, 7.0.x before 7.0.21, and 7.1.x before 7.1.7 is prone to a buffer over-read while unserializing untrusted data. Exploitation of this issue can have an unspecified impact on the integrity of PHP.
EPSS 13.03% · 94.2th percentile
Risk Scores
EPSS Score
13.03%
94.2th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:14.04:LTS | php5 | 0, 5.5.3+dfsg-1ubuntu3, 5.5.6+dfsg-1ubuntu1 |
Exploit Intelligence
- Out of Bounds Memory Read in unserialize() (hackerone)
- Out of Bounds Memory Read in unserialize() (hackerone)
- Out of Bounds Memory Read in unserialize() (hackerone)
- cve_db.json (github-poc)
- cve_db.json (github-poc)
- cve_db.json (github-poc)
- cve_db.json (github-poc)
- cve_db.json (github-poc)
- cve_db.json (github-poc)
Timeline
- CVE Published
- Nov 27, 2018 PoC Published
- Apr 14, 2021 EPSS Score
- Mar 17, 2025 EPSS Score
- Mar 23, 2025 EPSS Score
- Mar 29, 2025 EPSS Score
- Mar 30, 2025 EPSS Score
- Apr 12, 2025 EPSS Score
- May 1, 2025 EPSS Score
- May 20, 2025 EPSS Score
- May 21, 2025 EPSS Score
- Jun 1, 2025 EPSS Score
References
- https://ubuntu.com/security/CVE-2017-12933 third-party-advisory
- http://php.net/ChangeLog-5.php third-party-advisory
- http://php.net/ChangeLog-7.php third-party-advisory
- https://ubuntu.com/security/notices/USN-3566-1 vendor-advisory
- https://ubuntu.com/security/notices/USN-3566-2 vendor-advisory
- https://www.cve.org/CVERecord?id=CVE-2017-12933 third-party-advisory