5.1 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:H/Au:N/C:P/I:P/A:P
0.613 Medium
EPSS
Percentile
97.8%
Stefan Esser of e-matters discovered a condition within PHP
that may lead to remote execution of arbitrary code. The
memory_limit facility is used to notify functions when memory
contraints have been met. Under certain conditions, the entry
into this facility is able to interrupt functions such as
zend_hash_init() at locations not suitable for interruption.
The result would leave these functions in a vulnerable state.
An attacker that is able to trigger the memory_limit abort
within zend_hash_init() and is additionally able to control
the heap before the HashTable itself is allocated, is able to
supply his own HashTable destructor pointer. […]
All mentioned places outside of the extensions are quite easy
to exploit, because the memory allocation up to those places
is deterministic and quite static throughout different PHP
versions. […]
Because the exploit itself consist of supplying an arbitrary
destructor pointer this bug is exploitable on any platform.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
FreeBSD | any | noarch | mod_php4-twig | <= 4.3.7_3 | UNKNOWN |
FreeBSD | any | noarch | php4 | <= 4.3.7_3 | UNKNOWN |
FreeBSD | any | noarch | php4-cgi | <= 4.3.7_3 | UNKNOWN |
FreeBSD | any | noarch | php4-cli | <= 4.3.7_3 | UNKNOWN |
FreeBSD | any | noarch | php4-dtc | <= 4.3.7_3 | UNKNOWN |
FreeBSD | any | noarch | php4-horde | <= 4.3.7_3 | UNKNOWN |
FreeBSD | any | noarch | php4-nms | <= 4.3.7_3 | UNKNOWN |
FreeBSD | any | noarch | mod_php4 | <= 4.3.7_3,1 | UNKNOWN |
FreeBSD | any | noarch | php5 | <= 5.0.0.r3_2 | UNKNOWN |
FreeBSD | any | noarch | php5-cgi | <= 5.0.0.r3_2 | UNKNOWN |