9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.005 Low
EPSS
Percentile
75.5%
The SplObjectStorage unserialize implementation in ext/spl/spl_observer.c
in PHP before 7.0.12 does not verify that a key is an object, which allows
remote attackers to execute arbitrary code or cause a denial of service
(uninitialized memory access) via crafted serialized data.
Author | Note |
---|---|
mdeslaur | 5.x doesn’t look vulnerable |
blog.checkpoint.com/2016/12/27/check-point-discovers-three-zero-day-vulnerabilities-web-programming-language-php-7
blog.checkpoint.com/wp-content/uploads/2016/12/PHP_Technical_Report.pdf
php.net/ChangeLog-7.php
launchpad.net/bugs/cve/CVE-2016-7480
nvd.nist.gov/vuln/detail/CVE-2016-7480
security-tracker.debian.org/tracker/CVE-2016-7480
www.cve.org/CVERecord?id=CVE-2016-7480
www.youtube.com/watch?v=LDcaPstAuPk
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.005 Low
EPSS
Percentile
75.5%