CVE-2012-3450
published 2012-08-06CVE-2012-3450: pdo_sql_parser.re in the PDO extension in PHP before 5.3.14 and 5.4.x before 5.4.4 does not properly determine the end of the query string during parsing of…
PriorityP421low2.6CVSS 2.0
AVNACHAuNCNINAP
EXPLOIT
EPSS
11.18%
95.4th percentile
pdo_sql_parser.re in the PDO extension in PHP before 5.3.14 and 5.4.x before 5.4.4 does not properly determine the end of the query string during parsing of prepared statements, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted parameter value.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| php | php | <= 5.3.13 | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
CVSS provenance
nvdv2.02.6LOWAV:N/AC:H/Au:N/C:N/I:N/A:P
vendor_ubuntu4.3MEDIUM
vendor_redhat2.6LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
PHP vulnerabilities
vendor_ubuntu·2012-09-17·CVSS 4.3
CVE-2011-1398 [MEDIUM] PHP vulnerabilities
Title: PHP vulnerabilities
Summary: Several security issues were fixed in PHP.
It was discovered that PHP incorrectly handled certain character sequences
when applying HTTP response-splitting protection. A remote attacker could
create a specially-crafted URL and inject arbitrary headers.
(CVE-2011-1398, CVE-2012-4388)
It was discovered that PHP incorrectly handled directories with a large
number of files. This could allow a remote attacker to execute arbitrary
code with the privileges of the web server, or to perform a denial of
service. (CVE-2012-2688)
It was discovered that PHP incorrectly parsed certain PDO prepared
statements. A remote attacker could use this flaw to cause PHP to crash,
leading to a denial of service. (CVE-2012-3450)
Instructions: In general, a standard system upd
Red Hat
php: PDO array over-read crash
vendor_redhat·2012-06-10·CVSS 2.6
CVE-2012-3450 [LOW] php: PDO array over-read crash
php: PDO array over-read crash
pdo_sql_parser.re in the PDO extension in PHP before 5.3.14 and 5.4.x before 5.4.4 does not properly determine the end of the query string during parsing of prepared statements, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted parameter value.
Statement: Red Hat does not consider this flaw to be a security issue. It is improbable that a script would accept untrusted user input or unvalidated script input data which would be treated as SQL prepared statements.
Package: php (Red Hat Enterprise Linux 5) - Not affected
Package: php (Red Hat Enterprise Linux 6) - Not affected
GHSA
GHSA-72h2-mx43-37v5: pdo_sql_parser
ghsa_unreviewed·2022-05-17
CVE-2012-3450 [LOW] GHSA-72h2-mx43-37v5: pdo_sql_parser
pdo_sql_parser.re in the PDO extension in PHP before 5.3.14 and 5.4.x before 5.4.4 does not properly determine the end of the query string during parsing of prepared statements, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted parameter value.
No detection rules found.
http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00021.htmlhttp://seclists.org/bugtraq/2012/Jun/60http://www.debian.org/security/2012/dsa-2527http://www.mandriva.com/security/advisories?name=MDVSA-2012:108http://www.openwall.com/lists/oss-security/2012/08/02/3http://www.openwall.com/lists/oss-security/2012/08/02/7http://www.php.net/ChangeLog-5.phphttp://www.ubuntu.com/usn/USN-1569-1https://bugs.php.net/bug.php?id=61755https://bugzilla.novell.com/show_bug.cgi?id=769785http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00021.htmlhttp://seclists.org/bugtraq/2012/Jun/60http://www.debian.org/security/2012/dsa-2527http://www.mandriva.com/security/advisories?name=MDVSA-2012:108http://www.openwall.com/lists/oss-security/2012/08/02/3http://www.openwall.com/lists/oss-security/2012/08/02/7http://www.php.net/ChangeLog-5.phphttp://www.ubuntu.com/usn/USN-1569-1https://bugs.php.net/bug.php?id=61755https://bugzilla.novell.com/show_bug.cgi?id=769785
2012-08-06
Published