CVE-2016-7480

Published on: 01/11/2017 12:00:00 AM UTC

Last Modified on: 03/23/2021 11:27:06 PM UTC

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Certain versions of Php from Php contain the following vulnerability:

The SplObjectStorage unserialize implementation in ext/spl/spl_observer.c in PHP before 7.0.12 does not verify that a key is an object, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access) via crafted serialized data.

  • CVE-2016-7480 has been assigned by [email protected] to track the vulnerability - currently rated as - currently rated as CRITICAL severity.

CVSS3 Score: 9.8 - CRITICAL

Attack
Vector
Attack
Complexity
Privileges
Required
User
Interaction
NETWORK LOW NONE NONE
Scope Confidentiality
Impact
Integrity
Impact
Availability
Impact
UNCHANGED HIGH HIGH HIGH

CVSS2 Score: 7.5 - HIGH

Access
Vector
Access
Complexity
Authentication
NETWORK LOW NONE
Confidentiality
Impact
Integrity
Impact
Availability
Impact
PARTIAL PARTIAL PARTIAL

CVE References

Description Tags Link
PHP :: Sec Bug #73257 :: pointer to uninitialized memory passed to unserialize Patch
VDB Entry
bugs.php.net
text/html
URL Logo MISC bugs.php.net/bug.php?id=73257
Check Point discovers three Zero-Day Vulnerabilities in web programming language PHP 7 | Check Point Blog Third Party Advisory
VDB Entry
blog.checkpoint.com
text/html
URL Logo MISC blog.checkpoint.com/2016/12/27/check-point-discovers-three-zero-day-vulnerabilities-web-programming-language-php-7
Fix bug #73257 and bug #73258 - SplObjectStorage unserialize allows u… · php/[email protected] · GitHub Patch
VDB Entry
github.com
text/html
URL Logo MISC github.com/php/php-src/commit/61cdd1255d5b9c8453be71aacbbf682796ac77d4
PHP: PHP 7 ChangeLog Release Notes
Vendor Advisory
php.net
text/html
URL Logo MISC php.net/ChangeLog-7.php
YouTube Press/Media Coverage
www.youtube.com
text/html
URL Logo MISC www.youtube.com/watch?v=LDcaPstAuPk
PHP CVE-2016-7480 Remote Code Execution Vulnerability cve.report (archive)
text/html
URL Logo BID 95152
Exploit
Technical Description
Third Party Advisory
blog.checkpoint.com
application/pdf
MISC blog.checkpoint.com/wp-content/uploads/2016/12/PHP_Technical_Report.pdf
September 2017 PHP Vulnerabilities in NetApp Products | NetApp Product Security security.netapp.com
text/html
URL Logo CONFIRM security.netapp.com/advisory/ntap-20180112-0001/

Known Affected Configurations (CPE V2.3)

Type Vendor Product Version Update Edition Language
ApplicationPhpPhpAllAllAllAll
  • cpe:2.3:a:php:php:*:*:*:*:*:*:*:*: