CVE-2007-2728 - Vulnerability Details - OpenCVE

The soap extension in PHP calls php_rand_r with an uninitialized seed variable, which has unknown impact and attack vectors, a related issue to the mcrypt_create_iv issue covered by CVE-2007-2727. Note: The PHP team argue that this is not a valid security issue.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Canonical	Ubuntu Linux
Php	Php

Configuration 1 [-]

cpe:2.3:a:php:php:-:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:o:canonical:ubuntu_linux:6.06:::::::*
	cpe:2.3:o:canonical:ubuntu_linux:6.10:::::::*
	cpe:2.3:o:canonical:ubuntu_linux:7.04:::::::*

No data.

References

Link	Providers
http://blog.php-security.org/archives/80-Watching-the-PHP-CVS.html
http://osvdb.org/36086
http://secunia.com/advisories/25306
http://secunia.com/advisories/26102
http://secunia.com/advisories/26895
http://www.mandriva.com/security/advisories?name=MDKSA-2007:187
http://www.novell.com/linux/security/advisories/2007_15_sr.html
http://www.ubuntu.com/usn/usn-485-1
http://www.vupen.com/english/advisories/2007/1839

History

Fri, 16 Aug 2024 21:15:00 +0000

Type	Values Removed	Values Added
Description	The soap extension in PHP calls php_rand_r with an uninitialized seed variable, which has unknown impact and attack vectors, a related issue to the mcrypt_create_iv issue covered by CVE-2007-2727.	The soap extension in PHP calls php_rand_r with an uninitialized seed variable, which has unknown impact and attack vectors, a related issue to the mcrypt_create_iv issue covered by CVE-2007-2727. Note: The PHP team argue that this is not a valid security issue.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2007-05-16T22:00:00

Updated: 2024-08-29T16:00:16.501Z

Reserved: 2007-05-16T00:00:00

Link: CVE-2007-2728

Vulnrichment

Updated: 2024-08-07T13:49:57.307Z

NVD

Status : Deferred

Published: 2007-05-16T22:30:00.000

Modified: 2025-04-09T00:30:58.490

Link: CVE-2007-2728

Redhat

No data.

{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2007-2728", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-29T16:00:16.501Z", "dateReserved": "2007-05-16T00:00:00", "datePublished": "2007-05-16T22:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-08-16T21:00:56.472396"}, "descriptions": [{"lang": "en", "value": "The soap extension in PHP calls php_rand_r with an uninitialized seed variable, which has unknown impact and attack vectors, a related issue to the mcrypt_create_iv issue covered by CVE-2007-2727. Note: The PHP team argue that this is not a valid security issue."}], "tags": ["disputed"], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"name": "25306", "tags": ["third-party-advisory"], "url": "http://secunia.com/advisories/25306"}, {"url": "http://blog.php-security.org/archives/80-Watching-the-PHP-CVS.html"}, {"name": "ADV-2007-1839", "tags": ["vdb-entry"], "url": "http://www.vupen.com/english/advisories/2007/1839"}, {"name": "USN-485-1", "tags": ["vendor-advisory"], "url": "http://www.ubuntu.com/usn/usn-485-1"}, {"name": "MDKSA-2007:187", "tags": ["vendor-advisory"], "url": "http://www.mandriva.com/security/advisories?name=MDKSA-2007:187"}, {"name": "26895", "tags": ["third-party-advisory"], "url": "http://secunia.com/advisories/26895"}, {"name": "26102", "tags": ["third-party-advisory"], "url": "http://secunia.com/advisories/26102"}, {"name": "36086", "tags": ["vdb-entry"], "url": "http://osvdb.org/36086"}, {"name": "SUSE-SR:2007:015", "tags": ["vendor-advisory"], "url": "http://www.novell.com/linux/security/advisories/2007_15_sr.html"}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "datePublic": "2007-05-10T00:00:00"}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T13:49:57.307Z"}, "title": "CVE Program Container", "references": [{"name": "25306", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/25306"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://blog.php-security.org/archives/80-Watching-the-PHP-CVS.html"}, {"name": "ADV-2007-1839", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2007/1839"}, {"name": "USN-485-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "http://www.ubuntu.com/usn/usn-485-1"}, {"name": "MDKSA-2007:187", "tags": ["vendor-advisory", "x_refsource_MANDRIVA", "x_transferred"], "url": "http://www.mandriva.com/security/advisories?name=MDKSA-2007:187"}, {"name": "26895", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/26895"}, {"name": "26102", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/26102"}, {"name": "36086", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://osvdb.org/36086"}, {"name": "SUSE-SR:2007:015", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://www.novell.com/linux/security/advisories/2007_15_sr.html"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-29T16:00:04.918528Z", "id": "CVE-2007-2728", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-29T16:00:16.501Z"}}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://secunia.com/advisories/25306", "name": "25306", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"]}, {"url": "http://blog.php-security.org/archives/80-Watching-the-PHP-CVS.html", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "http://www.vupen.com/english/advisories/2007/1839", "name": "ADV-2007-1839", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"]}, {"url": "http://www.ubuntu.com/usn/usn-485-1", "name": "USN-485-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"]}, {"url": "http://www.mandriva.com/security/advisories?name=MDKSA-2007:187", "name": "MDKSA-2007:187", "tags": ["vendor-advisory", "x_refsource_MANDRIVA", "x_transferred"]}, {"url": "http://secunia.com/advisories/26895", "name": "26895", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"]}, {"url": "http://secunia.com/advisories/26102", "name": "26102", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"]}, {"url": "http://osvdb.org/36086", "name": "36086", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"]}, {"url": "http://www.novell.com/linux/security/advisories/2007_15_sr.html", "name": "SUSE-SR:2007:015", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T13:49:57.307Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2007-2728", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-29T16:00:04.918528Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-29T16:00:12.406Z"}}], "cna": {"tags": ["disputed"], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2007-05-10T00:00:00", "references": [{"url": "http://secunia.com/advisories/25306", "name": "25306", "tags": ["third-party-advisory"]}, {"url": "http://blog.php-security.org/archives/80-Watching-the-PHP-CVS.html"}, {"url": "http://www.vupen.com/english/advisories/2007/1839", "name": "ADV-2007-1839", "tags": ["vdb-entry"]}, {"url": "http://www.ubuntu.com/usn/usn-485-1", "name": "USN-485-1", "tags": ["vendor-advisory"]}, {"url": "http://www.mandriva.com/security/advisories?name=MDKSA-2007:187", "name": "MDKSA-2007:187", "tags": ["vendor-advisory"]}, {"url": "http://secunia.com/advisories/26895", "name": "26895", "tags": ["third-party-advisory"]}, {"url": "http://secunia.com/advisories/26102", "name": "26102", "tags": ["third-party-advisory"]}, {"url": "http://osvdb.org/36086", "name": "36086", "tags": ["vdb-entry"]}, {"url": "http://www.novell.com/linux/security/advisories/2007_15_sr.html", "name": "SUSE-SR:2007:015", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "The soap extension in PHP calls php_rand_r with an uninitialized seed variable, which has unknown impact and attack vectors, a related issue to the mcrypt_create_iv issue covered by CVE-2007-2727. Note: The PHP team argue that this is not a valid security issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-08-16T21:00:56.472396"}}}, "cveMetadata": {"cveId": "CVE-2007-2728", "state": "PUBLISHED", "dateUpdated": "2024-08-29T16:00:16.501Z", "dateReserved": "2007-05-16T00:00:00", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2007-05-16T22:00:00", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:php:php:-:*:*:*:*:*:*:*", "matchCriteriaId": "029B5A37-BA8D-4FEC-BE90-856BB9D0D0E1", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:6.06:*:*:*:*:*:*:*", "matchCriteriaId": "454A5D17-B171-4F1F-9E0B-F18D1E5CA9FD", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:6.10:*:*:*:*:*:*:*", "matchCriteriaId": "23E304C9-F780-4358-A58D-1E4C93977704", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:7.04:*:*:*:*:*:*:*", "matchCriteriaId": "6EBDAFF8-DE44-4E80-B6BD-E341F767F501", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [{"sourceIdentifier": "cve@mitre.org", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "The soap extension in PHP calls php_rand_r with an uninitialized seed variable, which has unknown impact and attack vectors, a related issue to the mcrypt_create_iv issue covered by CVE-2007-2727. Note: The PHP team argue that this is not a valid security issue."}, {"lang": "es", "value": "La extensi\u00f3n soap en PHP llama a php_rand_r con una variable seed no inicializada, que presenta un impacto desconocido y vectores de ataque, un problema relacionado con el problema de mcrypt_create_iv cubierto por CVE-2007-2727."}], "id": "CVE-2007-2728", "lastModified": "2025-04-09T00:30:58.490", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2007-05-16T22:30:00.000", "references": [{"source": "cve@mitre.org", "tags": ["Broken Link"], "url": "http://blog.php-security.org/archives/80-Watching-the-PHP-CVS.html"}, {"source": "cve@mitre.org", "tags": ["Broken Link"], "url": "http://osvdb.org/36086"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://secunia.com/advisories/25306"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://secunia.com/advisories/26102"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://secunia.com/advisories/26895"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://www.mandriva.com/security/advisories?name=MDKSA-2007:187"}, {"source": "cve@mitre.org", "tags": ["Broken Link"], "url": "http://www.novell.com/linux/security/advisories/2007_15_sr.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://www.ubuntu.com/usn/usn-485-1"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://www.vupen.com/english/advisories/2007/1839"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "http://blog.php-security.org/archives/80-Watching-the-PHP-CVS.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "http://osvdb.org/36086"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://secunia.com/advisories/25306"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://secunia.com/advisories/26102"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://secunia.com/advisories/26895"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://www.mandriva.com/security/advisories?name=MDKSA-2007:187"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "http://www.novell.com/linux/security/advisories/2007_15_sr.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://www.ubuntu.com/usn/usn-485-1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://www.vupen.com/english/advisories/2007/1839"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}