{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "versions": [
              {
                "introduced": "7.0.0"
              },
              {
                "fixed": "7.0.16"
              }
            ]
          },
          "events": [
            {
              "introduced": "60fffd296abce5fc071f3c173c25a2696cf683c6"
            },
            {
              "fixed": "37eb1e4d92db3cf3f92910f27216550c0b0a9982"
            },
            {
              "fixed": "bab0b99f376dac9170ac81382a5ed526938d595a"
            }
          ],
          "repo": "https://github.com/php/php-src",
          "type": "GIT"
        }
      ]
    }
  ],
  "details": "main/streams/xp_socket.c in PHP 7.x before 2017-03-07 misparses fsockopen calls, such as by interpreting fsockopen('127.0.0.1:80', 443) as if the address/port were 127.0.0.1:80:443, which is later truncated to 127.0.0.1:80. This behavior has a security risk if the explicitly provided port number (i.e., 443 in this example) is hardcoded into an application as a security policy, but the hostname argument (i.e., 127.0.0.1:80 in this example) is obtained from untrusted input.",
  "id": "CVE-2017-7189",
  "modified": "2026-03-13T21:48:57.944614174Z",
  "published": "2019-07-10T15:15:11.163Z",
  "references": [
    {
      "type": "REPORT",
      "url": "https://bugs.php.net/bug.php?id=74192"
    },
    {
      "type": "FIX",
      "url": "https://github.com/php/php-src/commit/bab0b99f376dac9170ac81382a5ed526938d595a"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}