5
CVE-2011-4153
- EPSS 12.2%
- Veröffentlicht 18.01.2012 20:55:02
- Zuletzt bearbeitet 16.06.2026 23:34:30
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
PHP 5.3.8 does not always check the return value of the zend_strndup function, which might allow remote attackers to cause a denial of service (NULL pointer dereference and application crash) via crafted input to an application that performs strndup operations on untrusted string data, as demonstrated by the define function in zend_builtin_functions.c, and unspecified functions in ext/soap/php_sdl.c, ext/standard/syslog.c, ext/standard/browscap.c, ext/oci8/oci8.c, ext/com_dotnet/com_typeinfo.c, and main/php_open_temporary_file.c.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 12.2% | 0.956 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5 | 10 | 2.9 |
AV:N/AC:L/Au:N/C:N/I:N/A:P
|
CWE-20 Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
http://lists.opensuse.org/opensuse-security-announce/2012-03/msg00016.html
http://secunia.com/advisories/48668
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03360041
http://lists.opensuse.org/opensuse-security-announce/2012-03/msg00013.html
http://archives.neohapsis.com/archives/bugtraq/2012-01/0092.html
http://cxsecurity.com/research/103
http://lists.opensuse.org/opensuse-security-announce/2012-04/msg00001.html
http://marc.info/?l=bugtraq&m=134012830914727&w=2
http://www.exploit-db.com/exploits/18370/