CVE-2017-5630
Find out more about CVE-2017-5630 from the MITRE CVE dictionary dictionary and NIST NVD.
Statement
Since pear's purpose is to download libraries for inclusion in an application, any use of pear install or pear download implicitly trusts the server. This vulnerability does not significantly extend the trust already given to pear and to servers used with it.
CVSS v3 metrics
NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.
| CVSS3 Base Score | 3.4 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N |
| Attack Vector | Network |
| Attack Complexity | High |
| Privileges Required | None |
| User Interaction | Required |
| Scope | Changed |
| Confidentiality | None |
| Integrity Impact | Low |
| Availability Impact | None |
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat Software Collections for Red Hat Enterprise Linux | rh-php56-php-pear | Will not fix |
| Red Hat Software Collections for Red Hat Enterprise Linux | rh-php70-php-pear | Will not fix |
| Red Hat Enterprise Linux 7 | php-pear | Will not fix |
| Red Hat Enterprise Linux 6 | php-pear | Will not fix |
| Red Hat Enterprise Linux 5 | php-pear | Will not fix |
Mitigation
This vulnerability only allows files in the current directory to be overwritten, so using `pear download` in a temporary directory effectively mitigates the risk of a dangerous file overwrite occurring.
