CVE-2009-2626

2009-12-0116:30:00

NVD-CWE-Other

[email protected]

web.nvd.nist.gov

cve-2009-2626

zend_restore_ini_entry_cb

php 5.3.0

security vulnerability

memory contents disclosure

php crash

nvd

5.8 Medium

AI Score

Confidence

Low

6.4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:N/A:P

0.176 Low

EPSS

Percentile

96.1%

JSON

The zend_restore_ini_entry_cb function in zend_ini.c in PHP 5.3.0, 5.2.10, and earlier versions allows context-specific attackers to obtain sensitive information (memory contents) and cause a PHP crash by using the ini_set function to declare a variable, then using the ini_restore function to restore the variable.

CPENameOperatorVersion
php:phpphpeq4.3.9
php:phpphpeq4.4.9
php:phpphpeq3.0
php:phpphpeq5.2.9
php:phpphpeq4.0
php:phpphpeq3.0.5
php:phpphpeq3.0.11
php:phpphpeq5.1.5
php:phpphpeq5.1.2
php:phpphpeq4.2.0

CPE	Name	Operator	Version
php:php	php	eq	4.3.9
php:php	php	eq	4.4.9
php:php	php	eq	3.0
php:php	php	eq	5.2.9
php:php	php	eq	4.0
php:php	php	eq	3.0.5
php:php	php	eq	3.0.11
php:php	php	eq	5.1.5
php:php	php	eq	5.1.2
php:php	php	eq	4.2.0