Lucene search

[email protected]CVE-2012-2386

HistoryJul 07, 2012 - 10:21 a.m.

CVE-2012-2386

2012-07-0710:21:13

CWE-189

[email protected]

web.nvd.nist.gov

137

cve-2012-2386

php

integer overflow

buffer overflow

denial of service

remote code execution

nvd

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

8.2 High

AI Score

Confidence

Low

0.085 Low

EPSS

Percentile

94.5%

JSON

Integer overflow in the phar_parse_tarfile function in tar.c in the phar extension in PHP before 5.3.14 and 5.4.x before 5.4.4 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted tar file that triggers a heap-based buffer overflow.

Affected configurations

NVD

Node

phpphpRange≤5.3.13

phpphpRange5.4.0–5.4.4

CPENameOperatorVersion
php:phpphple5.3.13
php:phpphplt5.4.4

CPE	Name	Operator	Version
php:php	php	le	5.3.13
php:php	php	lt	5.4.4

References

0x1byte.blogspot.com/2011/04/php-phar-extension-heap-overflow.html

git.php.net/?p=php-src.git%3Ba=commit%3Bh=158d8a6b088662ce9d31e0c777c6ebe90efdc854

lists.apple.com/archives/security-announce/2012/Sep/msg00004.html

lists.opensuse.org/opensuse-security-announce/2012-07/msg00003.html

openwall.com/lists/oss-security/2012/05/22/10

support.apple.com/kb/HT5501

www.php.net/ChangeLog-5.php

bugs.php.net/bug.php?id=61065

bugzilla.redhat.com/show_bug.cgi?id=823594

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

8.2 High

AI Score

Confidence

Low

0.085 Low

EPSS

Percentile

94.5%

JSON

Related for CVE-2012-2386

securityvulns3 nessus23 f52 debian1 ubuntucve1 nvd1 openvas43 cvelist1 prion1 amazon1 fedora10 suse1 ubuntu1 oraclelinux2 centos2 redhat2 veracode2 hackerone1 gentoo1