CVE-2016-7413 - OpenCVE

Use-after-free vulnerability in the wddx_stack_destroy function in ext/wddx/wddx.c in PHP before 5.6.26 and 7.x before 7.0.11 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a wddxPacket XML document that lacks an end-tag for a recordset field element, leading to mishandling in a wddx_deserialize call.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Php	Php

Configuration 1 [-]

OR	cpe:2.3:a:php:php::::::::
	cpe:2.3:a:php:php:7.0.0:::::::*
	cpe:2.3:a:php:php:7.0.1:::::::*
	cpe:2.3:a:php:php:7.0.2:::::::*
	cpe:2.3:a:php:php:7.0.3:::::::*
	cpe:2.3:a:php:php:7.0.4:::::::*
	cpe:2.3:a:php:php:7.0.5:::::::*
	cpe:2.3:a:php:php:7.0.6:::::::*
	cpe:2.3:a:php:php:7.0.7:::::::*
	cpe:2.3:a:php:php:7.0.8:::::::*
	cpe:2.3:a:php:php:7.0.9:::::::*
	cpe:2.3:a:php:php:7.0.10:::::::*

References

Link	Resource
http://www.openwall.com/lists/oss-security/2016/09/15/10	Mailing List
http://www.php.net/ChangeLog-5.php	Release Notes
http://www.php.net/ChangeLog-7.php	Release Notes
http://www.securityfocus.com/bid/93006
http://www.securitytracker.com/id/1036836
https://access.redhat.com/errata/RHSA-2018:1296
https://bugs.php.net/bug.php?id=72860	Exploit Issue Tracking
https://github.com/php/php-src/commit/b88393f08a558eec14964a55d3c680fe67407712?w=1	Issue Tracking Patch
https://security.gentoo.org/glsa/201611-22
https://www.tenable.com/security/tns-2016-19

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2016-09-17T21:00:00

Updated: 2018-05-03T09:57:01

Reserved: 2016-09-09T00:00:00

Link: CVE-2016-7413

JSON object: View

NVD Information

Status : Modified

Published: 2016-09-17T21:59:04.963

Modified: 2018-05-04T01:29:01.363

Link: CVE-2016-7413

JSON object: View

Redhat Information

No data.

CWE

CWE-416

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2016-09-15T00:00:00", "descriptions": [{"lang": "en", "value": "Use-after-free vulnerability in the wddx_stack_destroy function in ext/wddx/wddx.c in PHP before 5.6.26 and 7.x before 7.0.11 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a wddxPacket XML document that lacks an end-tag for a recordset field element, leading to mishandling in a wddx_deserialize call."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-05-03T09:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/php/php-src/commit/b88393f08a558eec14964a55d3c680fe67407712?w=1"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.php.net/ChangeLog-7.php"}, {"name": "GLSA-201611-22", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/201611-22"}, {"name": "1036836", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1036836"}, {"name": "[oss-security] 20160915 Re: CVE assignment for PHP 5.6.26 and 7.0.11", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2016/09/15/10"}, {"name": "RHSA-2018:1296", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:1296"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.php.net/ChangeLog-5.php"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.tenable.com/security/tns-2016-19"}, {"name": "93006", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/93006"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugs.php.net/bug.php?id=72860"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2016-7413", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Use-after-free vulnerability in the wddx_stack_destroy function in ext/wddx/wddx.c in PHP before 5.6.26 and 7.x before 7.0.11 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a wddxPacket XML document that lacks an end-tag for a recordset field element, leading to mishandling in a wddx_deserialize call."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/php/php-src/commit/b88393f08a558eec14964a55d3c680fe67407712?w=1", "refsource": "CONFIRM", "url": "https://github.com/php/php-src/commit/b88393f08a558eec14964a55d3c680fe67407712?w=1"}, {"name": "http://www.php.net/ChangeLog-7.php", "refsource": "CONFIRM", "url": "http://www.php.net/ChangeLog-7.php"}, {"name": "GLSA-201611-22", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201611-22"}, {"name": "1036836", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1036836"}, {"name": "[oss-security] 20160915 Re: CVE assignment for PHP 5.6.26 and 7.0.11", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2016/09/15/10"}, {"name": "RHSA-2018:1296", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:1296"}, {"name": "http://www.php.net/ChangeLog-5.php", "refsource": "CONFIRM", "url": "http://www.php.net/ChangeLog-5.php"}, {"name": "https://www.tenable.com/security/tns-2016-19", "refsource": "CONFIRM", "url": "https://www.tenable.com/security/tns-2016-19"}, {"name": "93006", "refsource": "BID", "url": "http://www.securityfocus.com/bid/93006"}, {"name": "https://bugs.php.net/bug.php?id=72860", "refsource": "CONFIRM", "url": "https://bugs.php.net/bug.php?id=72860"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2016-7413", "datePublished": "2016-09-17T21:00:00", "dateReserved": "2016-09-09T00:00:00", "dateUpdated": "2018-05-03T09:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "matchCriteriaId": "D860D77C-575A-48A1-9475-485D26EF5E41", "versionEndIncluding": "5.6.25", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:7.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "DB6890AF-8A0A-46EE-AAD5-CF9AAE14A321", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:7.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "6B90B947-7B54-47F3-9637-2F4AC44079EE", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:7.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "35848414-BD5D-4164-84DC-61ABBB1C4152", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:7.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "2B1F8402-8551-4F66-A9A7-81D472AB058E", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:7.0.4:*:*:*:*:*:*:*", "matchCriteriaId": "7A773E8E-48CD-4D35-A0FD-629BD9334486", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:7.0.5:*:*:*:*:*:*:*", "matchCriteriaId": "FC492340-79AF-4676-A161-079A97EC6F0C", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:7.0.6:*:*:*:*:*:*:*", "matchCriteriaId": "F1C2D8FE-C380-4B43-B634-A3DBA4700A71", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:7.0.7:*:*:*:*:*:*:*", "matchCriteriaId": "3EB58393-0C10-413C-8D95-6BAA8BC19A1B", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:7.0.8:*:*:*:*:*:*:*", "matchCriteriaId": "751F51CA-9D88-4971-A6EC-8C0B72E8E22B", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:7.0.9:*:*:*:*:*:*:*", "matchCriteriaId": "37B74118-8FC2-44CB-9673-A83DF777B2E6", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:7.0.10:*:*:*:*:*:*:*", "matchCriteriaId": "4D56A200-1477-40DA-9444-CFC946157C69", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Use-after-free vulnerability in the wddx_stack_destroy function in ext/wddx/wddx.c in PHP before 5.6.26 and 7.x before 7.0.11 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a wddxPacket XML document that lacks an end-tag for a recordset field element, leading to mishandling in a wddx_deserialize call."}, {"lang": "es", "value": "Vulnerabilidad de uso despu\u00e9s de liberaci\u00f3n de memoria en la funci\u00f3n wddx_stack_destroy en ext/wddx/wddx.c en PHP en versiones anteriores a 5.6.26 y 7.x en versiones anteriores a 7.0.11 permite a atacantes remotos provocar una denegaci\u00f3n de servicio o tener otro posible impacto no especificado a trav\u00e9s de un documento XML wddxPacket que carece de una etiqueta final para un elemento de campo de registro, produciendo una manejo incorrecto en una llamada wddx_deserialize."}], "id": "CVE-2016-7413", "lastModified": "2018-05-04T01:29:01.363", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2016-09-17T21:59:04.963", "references": [{"source": "cve@mitre.org", "tags": ["Mailing List"], "url": "http://www.openwall.com/lists/oss-security/2016/09/15/10"}, {"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "http://www.php.net/ChangeLog-5.php"}, {"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "http://www.php.net/ChangeLog-7.php"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/93006"}, {"source": "cve@mitre.org", "url": "http://www.securitytracker.com/id/1036836"}, {"source": "cve@mitre.org", "url": "https://access.redhat.com/errata/RHSA-2018:1296"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking"], "url": "https://bugs.php.net/bug.php?id=72860"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/php/php-src/commit/b88393f08a558eec14964a55d3c680fe67407712?w=1"}, {"source": "cve@mitre.org", "url": "https://security.gentoo.org/glsa/201611-22"}, {"source": "cve@mitre.org", "url": "https://www.tenable.com/security/tns-2016-19"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}]}