Lucene search

K
ubuntucve
Ubuntu.comUB:CVE-2012-2311
HistoryMay 04, 2012 - 12:00 a.m.

CVE-2012-2311

2012-05-0400:00:00
ubuntu.com
ubuntu.com
8

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.937 High

EPSS

Percentile

99.0%

sapi/cgi/cgi_main.c in PHP before 5.3.13 and 5.4.x before 5.4.3, when
configured as a CGI script (aka php-cgi), does not properly handle query
strings that contain a %3D sequence but no = (equals sign) character, which
allows remote attackers to execute arbitrary code by placing command-line
options in the query string, related to lack of skipping a certain
php_getopt for the ā€˜dā€™ case. NOTE: this vulnerability exists because of an
incomplete fix for CVE-2012-1823.

Bugs

Notes

Author Note
sbeattie Please see http://www.php.net/archive/2012.php#id2012-05-06-1 for more details when using configurations other than as described in /usr/share/doc/php5-cgi/README.Debian.gz.
OSVersionArchitecturePackageVersionFilename
ubuntu08.04noarchphp5< 5.2.4-2ubuntu5.24UNKNOWN
ubuntu10.04noarchphp5< 5.3.2-1ubuntu4.15UNKNOWN
ubuntu11.04noarchphp5< 5.3.5-1ubuntu7.8UNKNOWN
ubuntu11.10noarchphp5< 5.3.6-13ubuntu3.7UNKNOWN
ubuntu12.04noarchphp5< 5.3.10-1ubuntu3.1UNKNOWN
How to protect your server from attacks?

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.937 High

EPSS

Percentile

99.0%

Related for UB:CVE-2012-2311