CVE-2017-5677 Pear CVE debrief

Who should care

Administrators and developers running PEAR HTML_AJAX, especially in legacy PHP applications or any internet-facing deployment using versions 0.3.0 through 0.5.7.

Technical summary

The vulnerable surface is the PHP serializer path in PEAR HTML_AJAX. In affected versions, an attacker can remotely trigger PHP object injection and potentially achieve code execution. The public record also mentions one viewpoint that an incorrect regular expression is the root cause, but NVD does not map the issue to a more specific CWE and records it as NVD-CWE-noinfo.

Defensive priority

Critical

Recommended defensive actions

• Inventory all applications and servers that include PEAR HTML_AJAX and confirm whether any instance is in the affected version range (0.3.0 through 0.5.7).
• Apply the vendor-provided remediation referenced in the PEAR security advisory and bug tracker entry.
• If immediate upgrading is not possible, remove or isolate exposed instances until they can be remediated.
• Prioritize internet-facing deployments first because the issue is remotely exploitable without authentication or user interaction.
• Review application logs and surrounding controls for unexpected serialization-related failures or anomalous requests while remediation is underway.

Evidence notes

The NVD record lists PEAR HTML_AJAX versions 0.3.0 through 0.5.7 as vulnerable and assigns CVSS 3.0 9.8 with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The supplied references include the CVE record, NVD detail page, the PEAR security advisory, and the PEAR bug tracker entry. NVD’s weakness field is NVD-CWE-noinfo, so the record does not provide a normalized CWE beyond the public description of PHP object injection.

Official resources