CVE-2017-5630 PHP CVE debrief

Who should care

Administrators and developers who use PEAR Base System 1.10.1 or automated PECL/PEAR installation workflows should care most. Systems that download packages from HTTP sources or allow installer-driven writes to web-accessible directories are the highest concern.

Technical summary

NVD classifies the issue as CVE-2017-5630 with CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N and CWE-74. The core problem is insufficient validation of file type and filename after an HTTP redirect in the Installer download utility class. Because the flaw is network-reachable, requires no privileges, and affects integrity, a malicious or compromised remote server can influence what gets written locally.

Defensive priority

High. The vulnerability is remotely reachable, requires no authentication, and can modify files on disk. Integrity impact is the main risk, especially where installer writes can change web server behavior or application configuration.

Recommended defensive actions

• Identify hosts running PEAR Base System 1.10.1 or tooling that embeds the affected installer workflow.
• Upgrade or replace the affected PEAR/PECL installation path with a version or workflow that validates filenames and content after redirects.
• Restrict package retrieval to trusted sources and avoid using unauthenticated HTTP download paths for package installation.
• Audit systems for unexpected file changes after package installs, especially .htaccess and other configuration files.
• Review web and application directories for recent unauthorized or anomalous overwrite activity tied to package download/install events.

Evidence notes

The NVD record supplies the affected CPE, CVSS vector, and CWE-74 classification. The vendor advisory reference (PEAR bug 21171) and the third-party advisories listed by NVD corroborate the issue context. The provided source corpus also notes that a crafted response can overwrite files, with .htaccess given as an example.

Official resources