High severity7.4NVD Advisory· Published Mar 27, 2017· Updated May 13, 2026

CVE-2017-7272

Description

PHP through 7.1.11 enables potential SSRF in applications that accept an fsockopen or pfsockopen hostname argument with an expectation that the port number is constrained. Because a :port syntax is recognized, fsockopen will use the port number that is specified in the hostname argument, instead of the port number in the second argument of the function.

Affected products

PHP/PHP
cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
Range: <=7.1.3

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/php/php-src/commit/bab0b99f376dac9170ac81382a5ed526938d595anvdIssue TrackingPatchThird Party Advisory
www.securityfocus.com/bid/97178nvdThird Party AdvisoryVDB Entry
bugs.php.net/bug.phpnvdIssue TrackingVendor Advisory
www.securitytracker.com/id/1038158nvd
bugs.php.net/bug.phpnvd
security.netapp.com/advisory/ntap-20180112-0001/nvd
www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20170403-0_PHP_Misbehavior_of_fsockopen_function_v10.txtnvd

News mentions

No linked articles in our index yet.

cvss	0.481
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000