CVE-2010-2094
published 2010-05-27CVE-2010-2094: Multiple format string vulnerabilities in the phar extension in PHP 5.3 before 5.3.2 allow context-dependent attackers to obtain sensitive information (memory…
PriorityP347medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
12.65%
95.8th percentile
Multiple format string vulnerabilities in the phar extension in PHP 5.3 before 5.3.2 allow context-dependent attackers to obtain sensitive information (memory contents) and possibly execute arbitrary code via a crafted phar:// URI that is not properly handled by the (1) phar_stream_flush, (2) phar_wrapper_unlink, (3) phar_parse_url, or (4) phar_wrapper_open_url functions in ext/phar/stream.c; and the (5) phar_wrapper_open_dir function in ext/phar/dirstream.c, which triggers errors in the php_stream_wrapper_log_error function.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
CVSS provenance
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vendor_redhat6.8MEDIUM
vendor_ubuntu5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
PHP vulnerabilities
vendor_ubuntu·2010-09-20·CVSS 5.0
CVE-2010-0397 [MEDIUM] PHP vulnerabilities
Title: PHP vulnerabilities
Auke van Slooten discovered that PHP incorrectly handled certain xmlrpc
requests. An attacker could exploit this issue to cause the PHP server to
crash, resulting in a denial of service. This issue only affected Ubuntu
6.06 LTS, 8.04 LTS, 9.04 and 9.10. (CVE-2010-0397)
It was discovered that the pseudorandom number generator in PHP did not
provide the expected entropy. An attacker could exploit this issue to
predict values that were intended to be random, such as session cookies.
This issue only affected Ubuntu 6.06 LTS, 8.04 LTS, 9.04 and 9.10.
(CVE-2010-1128)
It was discovered that PHP did not properly handle directory pathnames that
lacked a trailing slash character. An attacker could exploit this issue to
bypass safe_mode restrictions. This issue only affe
Red Hat
php: Format string flaw in phar extension via phar_stream_flush() (MOPS-2010-024)
vendor_redhat·2010-05-14·CVSS 6.8
CVE-2010-2950 [MEDIUM] php: Format string flaw in phar extension via phar_stream_flush() (MOPS-2010-024)
php: Format string flaw in phar extension via phar_stream_flush() (MOPS-2010-024)
Format string vulnerability in stream.c in the phar extension in PHP 5.3.x through 5.3.3 allows context-dependent attackers to obtain sensitive information (memory contents) and possibly execute arbitrary code via a crafted phar:// URI that is not properly handled by the phar_stream_flush function, leading to errors in the php_stream_wrapper_log_error function. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-2094.
Package: php (Red Hat Enterprise Linux 5) - Not affected
Red Hat
php: Multiple format string flaws in the phar extension (MOPS-2010-025 MOPS-2010-026 MOPS-2010-027 MOPS-2010-028)
vendor_redhat·2010-05-14·CVSS 6.8
CVE-2010-2094 [MEDIUM] php: Multiple format string flaws in the phar extension (MOPS-2010-025 MOPS-2010-026 MOPS-2010-027 MOPS-2010-028)
php: Multiple format string flaws in the phar extension (MOPS-2010-025 MOPS-2010-026 MOPS-2010-027 MOPS-2010-028)
Multiple format string vulnerabilities in the phar extension in PHP 5.3 before 5.3.2 allow context-dependent attackers to obtain sensitive information (memory contents) and possibly execute arbitrary code via a crafted phar:// URI that is not properly handled by the (1) phar_stream_flush, (2) phar_wrapper_unlink, (3) phar_parse_url, or (4) phar_wrapper_open_url functions in ext/phar/stream.c; and the (5) phar_wrapper_open_dir function in ext/phar/dirstream.c, which triggers errors in the php_stream_wrapper_log_error function.
Statement: Not vulnerable. This issue did not affect the versions of php as shipped with Red Hat Enterprise Linux 3, 4, or 5, and Red Hat Application St
GHSA
GHSA-wc9x-xr56-87qv: Multiple format string vulnerabilities in the phar extension in PHP 5
ghsa_unreviewed·2022-05-17
CVE-2010-2094 [MEDIUM] CWE-134 GHSA-wc9x-xr56-87qv: Multiple format string vulnerabilities in the phar extension in PHP 5
Multiple format string vulnerabilities in the phar extension in PHP 5.3 before 5.3.2 allow context-dependent attackers to obtain sensitive information (memory contents) and possibly execute arbitrary code via a crafted phar:// URI that is not properly handled by the (1) phar_stream_flush, (2) phar_wrapper_unlink, (3) phar_parse_url, or (4) phar_wrapper_open_url functions in ext/phar/stream.c; and the (5) phar_wrapper_open_dir function in ext/phar/dirstream.c, which triggers errors in the php_stream_wrapper_log_error function.
GHSA
GHSA-95f3-2wqm-398g: Format string vulnerability in stream
ghsa_unreviewed·2022-05-17·CVSS 6.8
CVE-2010-2950 [MEDIUM] CWE-134 GHSA-95f3-2wqm-398g: Format string vulnerability in stream
Format string vulnerability in stream.c in the phar extension in PHP 5.3.x through 5.3.3 allows context-dependent attackers to obtain sensitive information (memory contents) and possibly execute arbitrary code via a crafted phar:// URI that is not properly handled by the phar_stream_flush function, leading to errors in the php_stream_wrapper_log_error function. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-2094.
No detection rules found.
Bugzilla
CVE-2010-2950 php: Format string flaw in phar extension via phar_stream_flush() (MOPS-2010-024)
bugzilla·2012-06-25·CVSS 6.8
CVE-2010-2950 [MEDIUM] CVE-2010-2950 php: Format string flaw in phar extension via phar_stream_flush() (MOPS-2010-024)
CVE-2010-2950 php: Format string flaw in phar extension via phar_stream_flush() (MOPS-2010-024)
A format string vulnerability in the phar extension in PHP 5.3 before 5.3.4 allow context-dependent attackers to obtain sensitive information (memory contents) and possibly execute arbitrary code via a crafted phar:// URI that is not properly handled by the phar_stream_flush()
Reference:
http://php-security.org/2010/05/14/mops-2010-024-php-phar_stream_flush-format-string-vulnerability/index.html
Upstream commit (which was supposed to fix this issue):
http://svn.php.net/viewvc?view=revision&revision=298667
This upstream however commit does not fix phar_stream_flush() case mentioned in MOPS-2010-024.
The issue was however fixed now in:
http://svn.php.net/viewvc?view=revision&revision=302565
an
Bugzilla
CVE-2010-2094 php: Multiple format string flaws in the phar extension (MOPS-2010-025 MOPS-2010-026 MOPS-2010-027 MOPS-2010-028)
bugzilla·2010-06-01·CVSS 6.8
CVE-2010-2094 [MEDIUM] CVE-2010-2094 php: Multiple format string flaws in the phar extension (MOPS-2010-025 MOPS-2010-026 MOPS-2010-027 MOPS-2010-028)
CVE-2010-2094 php: Multiple format string flaws in the phar extension (MOPS-2010-025 MOPS-2010-026 MOPS-2010-027 MOPS-2010-028)
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-2094 to
the following vulnerability:
Multiple format string vulnerabilities in the phar extension in PHP
5.3 before 5.3.2 allow context-dependent attackers to obtain sensitive
information (memory contents) and possibly execute arbitrary code via
a crafted phar:// URI that is not properly handled by the (1)
phar_stream_flush, (2) phar_wrapper_unlink, (3) phar_parse_url, or (4)
phar_wrapper_open_url functions in ext/phar/stream.c; and the (5)
phar_wrapper_open_dir function in ext/phar/dirstream.c, which triggers
errors in the php_stream_wrapper_log_error function.
References:
[1] http://php-secu
http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00006.htmlhttp://lists.opensuse.org/opensuse-security-announce/2010-10/msg00000.htmlhttp://php-security.org/2010/05/14/mops-2010-024-php-phar_stream_flush-format-string-vulnerability/index.htmlhttp://php-security.org/2010/05/14/mops-2010-025-php-phar_wrapper_open_dir-format-string-vulnerability/index.htmlhttp://php-security.org/2010/05/14/mops-2010-026-php-phar_wrapper_unlink-format-string-vulnerability/index.htmlhttp://php-security.org/2010/05/14/mops-2010-027-php-phar_parse_url-format-string-vulnerabilities/index.htmlhttp://php-security.org/2010/05/14/mops-2010-028-php-phar_wrapper_open_url-format-string-vulnerabilities/index.htmlhttp://www.mandriva.com/security/advisories?name=MDVSA-2011:004http://www.vupen.com/english/advisories/2011/0068http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00006.htmlhttp://lists.opensuse.org/opensuse-security-announce/2010-10/msg00000.htmlhttp://php-security.org/2010/05/14/mops-2010-024-php-phar_stream_flush-format-string-vulnerability/index.htmlhttp://php-security.org/2010/05/14/mops-2010-025-php-phar_wrapper_open_dir-format-string-vulnerability/index.htmlhttp://php-security.org/2010/05/14/mops-2010-026-php-phar_wrapper_unlink-format-string-vulnerability/index.htmlhttp://php-security.org/2010/05/14/mops-2010-027-php-phar_parse_url-format-string-vulnerabilities/index.htmlhttp://php-security.org/2010/05/14/mops-2010-028-php-phar_wrapper_open_url-format-string-vulnerabilities/index.htmlhttp://www.mandriva.com/security/advisories?name=MDVSA-2011:004http://www.vupen.com/english/advisories/2011/0068
2010-05-27
Published