Vulnerability CVE-2016-5771


Published: 2016-08-07

Description:
spl_array.c in the SPL extension in PHP before 5.5.37 and 5.6.x before 5.6.23 improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted serialized data.

See advisories in our WLB2 database:
Topic
Author
Date
High
Kerio Control Unified Threat Management Code Execution / XSS / Memory Corruption
R. Freingruber
24.09.2016

Type:

CWE-416

(Use After Free)

Vendor: PHP
Product: PHP 
Version:
5.6.9
5.6.8
5.6.7
5.6.6
5.6.5
5.6.4
5.6.3
5.6.22
5.6.21
5.6.20
5.6.2
5.6.19
5.6.18
5.6.17
5.6.16
5.6.15
5.6.14
5.6.13
5.6.12
5.6.11
5.6.10
5.6.1
5.6.0
5.5.36

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.5/10
6.4/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

 References:
http://github.com/php/php-src/commit/3f627e580acfdaf0595ae3b115b8bec677f203ee?w=1
http://lists.apple.com/archives/security-announce/2016/Sep/msg00006.html
http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00004.html
http://lists.opensuse.org/opensuse-updates/2016-08/msg00003.html
http://php.net/ChangeLog-5.php
http://rhn.redhat.com/errata/RHSA-2016-2750.html
http://www.debian.org/security/2016/dsa-3618
http://www.openwall.com/lists/oss-security/2016/06/23/4
http://www.securityfocus.com/bid/91401
https://bugs.php.net/bug.php?id=72433
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731
https://support.apple.com/HT207170

Related CVE
CVE-2010-4657
PHP5 before 5.4.4 allows passing invalid utf-8 strings via the xmlTextWriterWriteAttribute, which are then misparsed by libxml2. This results in memory leak into the resulting output.
CVE-2016-7398
A type confusion vulnerability in the merge_param() function of php_http_params.c in PHP's pecl-http extension 3.1.0beta2 (PHP 7) and earlier as well as 2.6.0beta2 (PHP 5) and earlier allows attackers to crash PHP and possibly execute arbitrary code ...
CVE-2019-11042
When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.31, 7.2.x below 7.2.21 and 7.3.x below 7.3.8 it is possible to supply it with data what will cause it to read past ...
CVE-2019-11041
When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.31, 7.2.x below 7.2.21 and 7.3.x below 7.3.8 it is possible to supply it with data what will cause it to read past ...
CVE-2017-7189
main/streams/xp_socket.c in PHP 7.x before 2017-03-07 misparses fsockopen calls, such as by interpreting fsockopen('127.0.0.1:80', 443) as if the address/port were 127.0.0.1:80:443, which is later truncated to 127.0.0.1:80. This behavior has a securi...
CVE-2019-11040
When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6 it is possible to supply it with data what will cause it to read past ...
CVE-2019-11039
Function iconv_mime_decode_headers() in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6 may perform out-of-buffer read due to integer overflow when parsing MIME headers. This may lead to information disclosure or crash.
CVE-2019-11038
When using the gdImageCreateFromXbm() function in the GD Graphics Library (aka LibGD) 2.2.5, as used in the PHP GD extension in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6, it is possible to supply data that will cause t...

Copyright 2019, cxsecurity.com

 

Back to Top